check before: 2025-12-02
Product:
Intune, Microsoft Search, SharePoint
Platform:
mobile, Online, Web, World tenant
Status:
Cancelled
Change type:
User impact, Admin impact
Details:
Summary:
By December 2, 2025, update firewall configurations to include new Azure Front Door IP addresses for Microsoft Intune. Add the service tag “AzureFrontDoor.MicrosoftSecurity” to allow outbound traffic on port 443. Do not remove existing Intune endpoints to ensure uninterrupted device and app management.
Details:
As mentioned in MC1147982, as part of Microsoft's ongoing Secure Future Initiative (SFI), starting on or shortly after December 2, 2025, the network service endpoints for Microsoft Intune will also use the Azure Front Door IP addresses. This improvement supports better alignment with modern security practices and over time will make it easier for organizations using multiple Microsoft products to manage and maintain their firewall configurations. As a result, customers may be required to add these network (firewall) configurations in third-party applications to enable proper function of Intune device and app management. This change will affect customers using a firewall allowlist that allows outbound traffic based on IP addresses or Azure service tags.
Do not remove any existing network endpoints required for Microsoft Intune. Additional network endpoints are documented as part of the Azure Front Door and service tags information referenced in the files linked below:
Public clouds: Download Azure IP Ranges and Service Tags - Public Cloud from Official Microsoft Download Center
Government clouds: Download Azure IP Ranges and Service Tags - US Government Cloud from Official Microsoft Download Center
The additional ranges are those listed in the JSON files linked above and can be found by searching for "AzureFrontDoor.MicrosoftSecurity".
Change Category:
XXXXXXX ... free basic plan only
Scope:
XXXXXXX ... free basic plan only
Release Phase:
Preview
Created:
2025-11-06
updated:
2025-11-06
Public Preview Start Date
XXXXXXX ... free basic plan only
Task Type
XXXXXXX ... free basic plan only
Docu to Check
XXXXXXX ... free basic plan only
MS How does it affect me
XXXXXXX ... free basic plan only
MS Preperations
XXXXXXX ... free basic plan only
MS Urgency
XXXXXXX ... free basic plan only
MS workload name
XXXXXXX ... free basic plan only
linked item details
XXXXXXX ... free basic plan only
summary for non-techies**
Microsoft Intune will start using Azure Front Door for access, requiring the addition of the "AzureFrontDoor.MicrosoftSecurity" tag to the firewall by December 2, 2025, to ensure uninterrupted service.
Direct effects for Operations**
Firewall Configuration
Failure to update firewall configurations may lead to users being unable to access Intune services, resulting in device management issues.
- roles: IT Administrator, Network Engineer
- references: https://learn.microsoft.com/azure/frontdoor/origin-security?tabs=app-service-functions&pivots=front-door-classic, https://learn.microsoft.com/intune/intune-service/fundamentals/intune-endpoints#consolidated-endpoint-list
User Connectivity
If the new Azure Front Door IP ranges are not included, users may experience login issues and loss of connectivity with Intune-managed devices.
- roles: End User, Helpdesk Support
- references: https://learn.microsoft.com/intune/intune-service/fundamentals/intune-core-service, https://techcommunity.microsoft.com/blog/intunecustomersuccess/support-tip-aligning-network-policy-with-microsoft-intune-and-zero-trust/4466688
Access to Applications
Disruption in access to applications protected by Intune app protection policies due to misconfigured firewall settings.
- roles: Application Owner, IT Support
- references: https://learn.microsoft.com/intune/intune-service/fundamentals/intune-endpoints#intune-core-service, https://www.microsoft.com/trust-center/security/secure-future-initiative
Network Policy Management
Inadequate preparation for the change may lead to increased workload for IT teams as they troubleshoot connectivity issues post-implementation.
- roles: Network Administrator, IT Manager
- references: https://learn.microsoft.com/azure/virtual-network/service-tags-overview, https://www.microsoft.com/download/details.aspx?id=56519
Service Tag Implementation
Not implementing the service tag 'AzureFrontDoor.MicrosoftSecurity' may result in prolonged service interruptions for users relying on Intune.
- roles: IT Administrator, Network Engineer
- references: https://learn.microsoft.com/intune/intune-service/fundamentals/intune-endpoints#intune-us-government-endpoints, https://www.microsoft.com/download/details.aspx?id=57063
Configutation Options**
XXXXXXX ... paid membership only
Opportunities**
XXXXXXX ... free basic plan only
Potentional Risks**
XXXXXXX ... paid membership only
IT Security**
XXXXXXX ... paid membership only
explanation for non-techies**
XXXXXXX ... free basic plan only
** AI generated content. This information must be reviewed before use.
a free basic plan is required to see more details. Sign up here
A cloudsocut.one plan is required to see all the changed details. If you are already a customer, choose login.
If you are new to cloudscout.one please choose a plan.
Last updated 1 month ago ago
