check before: 2025-12-02
Product:
Intune, MDM for Office 365, Microsoft Search, SharePoint
Platform:
mobile, Online, Web, World tenant
Status:
Cancelled
Change type:
User impact, Admin impact
Details:
Summary:
By December 2, 2025, update firewall allowlists to include Azure Front Door IP addresses tagged “AzureFrontDoor.MicrosoftSecurity” for Microsoft Intune and Basic Mobility and Security. Do not remove existing endpoints. Use the consolidated Intune endpoint list; previous scripts are outdated. Notify your networking team if needed.
Details:
As mentioned in MC1150664, as part of Microsoft's ongoing Secure Future Initiative (SFI), starting on or shortly after December 2, 2025, the network service endpoints for Microsoft Intune will also use the Azure Front Door IP addresses. Since Basic Mobility and Security for Microsoft 365 uses Intune infrastructure, customers may need to add Azure Front Door IP addresses, if using a firewall allowlist that allows outbound traffic based on IP addresses or Azure service tags.
Do not remove any existing network endpoints required for Basic Mobility and Security for Microsoft 365. Additional network endpoints are documented as part of the Azure Front Door and service tags information referenced in the files linked below:
Public clouds: Download Azure IP Ranges and Service Tags - Public Cloud from Official Microsoft Download Center
Government clouds: Download Azure IP Ranges and Service Tags - US Government Cloud from Official Microsoft Download Center
The additional ranges are those listed in the JSON files linked above and can be found by searching for "AzureFrontDoor.MicrosoftSecurity".
Change Category:
XXXXXXX ... free basic plan only
Scope:
XXXXXXX ... free basic plan only
Release Phase:
Preview
Created:
2025-11-06
updated:
2025-11-06
Public Preview Start Date
XXXXXXX ... free basic plan only
Task Type
XXXXXXX ... free basic plan only
Docu to Check
XXXXXXX ... free basic plan only
MS How does it affect me
XXXXXXX ... free basic plan only
MS Preperations
XXXXXXX ... free basic plan only
MS Urgency
XXXXXXX ... free basic plan only
MS workload name
XXXXXXX ... free basic plan only
linked item details
XXXXXXX ... free basic plan only
summary for non-techies**
XXXXXXX ... free basic plan only
Direct effects for Operations**
Firewall Configuration Update
Failure to update firewall allowlists may result in service disruptions for Microsoft Intune and Basic Mobility and Security, leading to users being unable to access necessary services.
- roles: Network Administrator, IT Support
- references: https://learn.microsoft.com/azure/frontdoor/origin-security?tabs=app-service-functions&pivots=front-door-classic, https://learn.microsoft.com/intune/intune-service/fundamentals/intune-endpoints#consolidated-endpoint-list
Service Availability
If the new Azure Front Door IP addresses are not added, users may experience degraded performance or complete unavailability of Microsoft Intune services, impacting productivity.
- roles: End User, IT Manager
- references: https://techcommunity.microsoft.com/blog/intunecustomersuccess/support-tip-aligning-network-policy-with-microsoft-intune-and-zero-trust/4466688, https://www.microsoft.com/trust-center/security/secure-future-initiative
User Experience
Inadequate preparation for the change may lead to confusion and frustration among users due to unexpected service interruptions, negatively affecting their experience with Microsoft 365 services.
- roles: End User, Helpdesk Staff
- references: https://learn.microsoft.com/microsoft-365/admin/get-help-support?view=o365-worldwide, https://www.microsoft.com/download/details.aspx?id=56519
Configutation Options**
XXXXXXX ... paid membership only
Opportunities**
Enhanced Firewall Management
Implementing a more streamlined approach to firewall management by utilizing the Azure service tag 'AzureFrontDoor.MicrosoftSecurity' will simplify the process of updating firewall configurations. This can reduce the chances of misconfigurations and enhance security posture, as it automatically includes new IP ranges without manual updates.
- next-steps: Review current firewall configurations and policies. Transition to using the service tag for future updates. Train IT staff on managing Azure service tags effectively.
- roles: Network Administrators, IT Security Managers, System Administrators
- references: https://learn.microsoft.com/azure/frontdoor/origin-security?tabs=app-service-functions&pivots=front-door-classic, https://learn.microsoft.com/azure/virtual-network/service-tags-overview
Improved User Experience with Intune
Updating firewall configurations to include Azure Front Door IP addresses will ensure uninterrupted access to Microsoft Intune services, leading to improved user experience for employees using mobile devices and remote access solutions. This change supports the reliability of device management and security features.
- next-steps: Communicate with end-users about the upcoming changes and ensure that they are aware of potential impacts on their access to Intune services. Provide training sessions if necessary.
- roles: End Users, IT Support Staff, Device Management Administrators
- references: https://learn.microsoft.com/intune/intune-service/fundamentals/intune-endpoints#consolidated-endpoint-list, https://techcommunity.microsoft.com/blog/intunecustomersuccess/support-tip-aligning-network-policy-with-microsoft-intune-and-zero-trust/4466688
Cost-Efficient Network Policies
By adopting Azure service tags, organizations can reduce administrative overhead and potential errors associated with manually updating IP addresses. This can lead to lower operational costs and more efficient resource management.
- next-steps: Evaluate current firewall management costs and identify areas where service tags can be implemented. Create a plan for transitioning to service tags in firewall policies.
- roles: IT Operations Managers, Network Engineers, Finance Officers
- references: https://www.microsoft.com/trust-center/security/secure-future-initiative, https://www.microsoft.com/download/details.aspx?id=56519
Potentional Risks**
XXXXXXX ... paid membership only
IT Security**
XXXXXXX ... paid membership only
explanation for non-techies**
XXXXXXX ... free basic plan only
** AI generated content. This information must be reviewed before use.
a free basic plan is required to see more details. Sign up here
A cloudsocut.one plan is required to see all the changed details. If you are already a customer, choose login.
If you are new to cloudscout.one please choose a plan.
Last updated 2 months ago ago
