MC1183289 – Reminder: Update firewall configurations to include new Intune network endpoints

Product:

Intune, Microsoft Search, SharePoint

Platform:

mobile, Online, Web, World tenant

Status:

Cancelled

Change type:

User impact, Admin impact

Links:

MC1147982
57063

Details:

Summary:
By December 2, 2025, update firewall configurations to include new Azure Front Door IP addresses for Microsoft Intune. Add the service tag “AzureFrontDoor.MicrosoftSecurity” to allow outbound traffic on port 443. Do not remove existing Intune endpoints to ensure uninterrupted device and app management.

Details:
As mentioned in MC1147982, as part of Microsoft's ongoing Secure Future Initiative (SFI), starting on or shortly after December 2, 2025, the network service endpoints for Microsoft Intune will also use the Azure Front Door IP addresses. This improvement supports better alignment with modern security practices and over time will make it easier for organizations using multiple Microsoft products to manage and maintain their firewall configurations. As a result, customers may be required to add these network (firewall) configurations in third-party applications to enable proper function of Intune device and app management. This change will affect customers using a firewall allowlist that allows outbound traffic based on IP addresses or Azure service tags.
Do not remove any existing network endpoints required for Microsoft Intune. Additional network endpoints are documented as part of the Azure Front Door and service tags information referenced in the files linked below:
Public clouds: Download Azure IP Ranges and Service Tags - Public Cloud from Official Microsoft Download Center
Government clouds: Download Azure IP Ranges and Service Tags - US Government Cloud from Official Microsoft Download Center
The additional ranges are those listed in the JSON files linked above and can be found by searching for "AzureFrontDoor.MicrosoftSecurity".

Change Category:
XXXXXXX ... free basic plan only

Scope:
XXXXXXX ... free basic plan only

Release Phase:
Preview

Created:
2025-11-06

updated:
2025-11-06

Public Preview Start Date

XXXXXXX ... free basic plan only

Task Type

XXXXXXX ... free basic plan only

Docu to Check

XXXXXXX ... free basic plan only

MS How does it affect me

XXXXXXX ... free basic plan only

MS Preperations

XXXXXXX ... free basic plan only

MS Urgency

XXXXXXX ... free basic plan only

MS workload name

XXXXXXX ... free basic plan only

linked item details

XXXXXXX ... free basic plan only

summary for non-techies**

XXXXXXX ... free basic plan only

Direct effects for Operations**

Firewall Configuration
Failure to update firewall configurations may lead to users being unable to access Intune services, resulting in device management issues.
   - roles: IT Administrator, Network Engineer
   - references: https://learn.microsoft.com/azure/frontdoor/origin-security?tabs=app-service-functions&pivots=front-door-classic, https://learn.microsoft.com/intune/intune-service/fundamentals/intune-endpoints#consolidated-endpoint-list

User Connectivity
If the new Azure Front Door IP ranges are not included, users may experience login issues and loss of connectivity with Intune-managed devices.
   - roles: End User, Helpdesk Support
   - references: https://learn.microsoft.com/intune/intune-service/fundamentals/intune-core-service, https://techcommunity.microsoft.com/blog/intunecustomersuccess/support-tip-aligning-network-policy-with-microsoft-intune-and-zero-trust/4466688

Access to Applications
Disruption in access to applications protected by Intune app protection policies due to misconfigured firewall settings.
   - roles: Application Owner, IT Support
   - references: https://learn.microsoft.com/intune/intune-service/fundamentals/intune-endpoints#intune-core-service, https://www.microsoft.com/trust-center/security/secure-future-initiative

Network Policy Management
Inadequate preparation for the change may lead to increased workload for IT teams as they troubleshoot connectivity issues post-implementation.
   - roles: Network Administrator, IT Manager
   - references: https://learn.microsoft.com/azure/virtual-network/service-tags-overview, https://www.microsoft.com/download/details.aspx?id=56519

Service Tag Implementation
Not implementing the service tag 'AzureFrontDoor.MicrosoftSecurity' may result in prolonged service interruptions for users relying on Intune.
   - roles: IT Administrator, Network Engineer
   - references: https://learn.microsoft.com/intune/intune-service/fundamentals/intune-endpoints#intune-us-government-endpoints, https://www.microsoft.com/download/details.aspx?id=57063

Configutation Options**

XXXXXXX ... paid membership only

Opportunities**

Enhanced Firewall Management
Implementing the Azure Front Door IP ranges and service tags will simplify the management of firewall configurations across multiple Microsoft services. This aligns with modern security practices and reduces the complexity of maintaining multiple firewall rules, leading to fewer misconfigurations and potential downtime.
   - next-steps: Conduct a review of current firewall configurations and document existing rules. Schedule a meeting with the networking team to discuss the integration of Azure Front Door service tags into the firewall policies before the December 2, 2025 deadline.
   - roles: Network Administrators, IT Security Officers, System Administrators
   - references: https://learn.microsoft.com/azure/frontdoor/origin-security?tabs=app-service-functions&pivots=front-door-classic, https://learn.microsoft.com/azure/virtual-network/service-tags-overview

Improved User Experience
By ensuring that the new Azure Front Door IP ranges are included in firewall rules, users will experience uninterrupted access to Intune services. This will prevent login issues and connectivity disruptions, enhancing overall user satisfaction and productivity.
   - next-steps: Communicate the importance of the firewall updates to all users and provide training or resources on potential impacts. Set up a feedback mechanism to monitor user experiences post-implementation.
   - roles: End Users, Helpdesk Staff, IT Support Teams
   - references: https://learn.microsoft.com/intune/get-support, https://techcommunity.microsoft.com/blog/intunecustomersuccess/support-tip-aligning-network-policy-with-microsoft-intune-and-zero-trust/4466688

Proactive IT Operations
Updating firewall configurations to include the new service tags will allow for a more proactive approach to IT operations, minimizing the risk of service disruptions and ensuring compliance with Microsoft's security guidelines.
   - next-steps: Develop a checklist for regular updates to firewall rules and establish a routine audit process to ensure compliance with new changes in service tags and IP ranges. Assign responsibility for ongoing monitoring to a designated team member.
   - roles: IT Operations Managers, Compliance Officers, Network Engineers
   - references: https://learn.microsoft.com/intune/intune-service/fundamentals/intune-endpoints#consolidated-endpoint-list, https://www.microsoft.com/trust-center/security/secure-future-initiative

Potentional Risks**

XXXXXXX ... paid membership only

IT Security**

XXXXXXX ... paid membership only

explanation for non-techies**

XXXXXXX ... free basic plan only