====== Blocklists - Microsoft - Get Microsoft URLs, IP addresses and Ports ======

Microsoft updates the Office 365 IP address and FQDN entries at the end of each month.

Out-of-band updates are sometimes published due to support incidents, security updates or other operational requirements.

----

===== Create a GUID =====

Microsoft require a GUID to download the list of current URLs and IPs.

By default, Microsoft uses the following UUID, b10c5ed1-bad1-445f-b386-b919946339a7, as an example, but this specific UUID may be disallowed in future, so it is recommended to use an alternative UUID.

<code bash>
uuidgen
</code>

returns:

<code>
948beb0b-32bb-4e1c-a67d-091c861a0cc6
</code>

<WRAP info>
**NOTE:**  There are alternative ways to create a UUID.

  * https://www.guidgenerator.com/

</WRAP>

----

===== Download the endpoints file =====

<code bash>
curl https://endpoints.office.com/endpoints/worldwide?clientrequestid=948beb0b-32bb-4e1c-a67d-091c861a0cc6 > office.txt
</code>

returns:

<code bash>
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 56888  100 56888    0     0  76053      0 --:--:-- --:--:-- --:--:-- 75951
</code>

<WRAP info>
**NOTE:**  This will download the file in JSON format.

  * CSV format is also available by adding **&format=CSV**.
  * For example <code bash>curl "https://endpoints.office.com/endpoints/worldwide?noipv6&format=CSV&ClientRequestId=948beb0b-32bb-4e1c-a67d-091c861a0cc6" > office2.txt</code>

The actual Data columns in the file:

  * **ID**:  The ID number of the row, also known as an endpoint set.
  * **Category**:  Shows whether the endpoint set is categorized as "Optimize", "Allow", or "Default".  
    * See https://docs.microsoft.com/en-us/microsoft-365/enterprise/microsoft-365-network-connectivity-principles?view=o365-worldwide#new-office-365-endpoint-categories.
  * **ER**:  This is Yes if the endpoint set is supported over Azure ExpressRoute with Office 365 route prefixes.
  * **Addresses**: Lists the FQDNs or wildcard domain names and IP Address ranges for the endpoint set.
    * An IP Address range is in CIDR format and may include many individual IP Addresses in the specified network.
  * **Ports**: Lists the TCP or UDP ports that are combined with the Addresses to form the network endpoint.
    * There may be some duplication in IP Address ranges where there are different ports listed.

----

Alternative Options to used with the curl command, including:

  * ServiceAreas=<Common | Exchange | SharePoint | Skype>
  * NoIPv6=<true | false>
  * Instance=<Worldwide | China | Germany | USGovDoD | USGovGCCHigh>

For example:

  * To exclude IPv6, use this: <code bash>
curl "https://endpoints.office.com/endpoints/worldwide?noipv6&ClientRequestId=948beb0b-32bb-4e1c-a67d-091c861a0cc6" > office.txt
</code>
  * To download only for the Skype service, in CSV format: <code bash>curl "https://endpoints.office.com/endpoints/worldwide?ServiceAreas=Skype&noipv6&format=CSV&ClientRequestId=948beb0b-32bb-4e1c-a67d-091c861a0cc6" > office.txt</code>
  * To download only the China instance: <code bash>curl "https://endpoints.office.com/endpoints/China?noipv6&format=CSV&ClientRequestId=948beb0b-32bb-4e1c-a67d-091c861a0cc6" > office.txt</code>

----

The UUID created earlier is used with the curl commands.

  * The default UUID provided by Microsoft, b10c5ed1-bad1-445f-b386-b919946339a7, could also be used.

----

See https://docs.microsoft.com/en-us/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-worldwide

</WRAP>

----

===== Check list of Services =====

<code bash>
jq -r '.[].serviceArea' office.txt | sort | uniq
</code>

returns:

<code>
Common
Exchange
SharePoint
Skype
</code>

<WRAP info>
**NOTE:**  The **Skype** service includes Microsoft Teams.

Because **Common** service area items are a prerequisite for all other service areas, the web service always includes them.
</WRAP>


----

===== Get IPs for the Specific Service =====

Assuming IPs for the Exchange Service is needed.

<code bash>
jq -r '.[] | select(.serviceArea=="Exchange") | select(.ips) .ips[]' office.txt | sort -t . -k1,1n -k2,2n -k3,3n -k4,4n | uniq
</code>

returns:

<code>
13.107.6.152/31
13.107.18.10/31
13.107.128.0/22
23.103.160.0/20
40.92.0.0/15
40.96.0.0/13
40.104.0.0/15
40.107.0.0/16
52.96.0.0/14
52.100.0.0/14
52.238.78.88/32
104.47.0.0/17
131.253.33.215/32
132.245.0.0/16
150.171.32.0/22
204.79.197.215/32
</code>



<WRAP info>
**NOTE:**  The following query could be used, but be aware that this may sometimes drop some IPs.  See [[BASH:Commands:sort:Numeric Sort Bug|Numeric Sort Bug]].

<code bash>
jq -r '.[] | select(.serviceArea=="Exchange") | select(.ips) .ips[]' office.txt | sort | uniq
</code>

</WRAP>

----

===== Get Current List of URLs =====

<code bash>
jq -r '.[] | select(.serviceArea=="Exchange") | select(.urls) .urls[]' office.txt | sort -t . -k1,1n -k2,2n -k3,3n -k4,4n | uniq
</code>
returns:

----

===== Get Current List of Ports =====

<code bash>
jq -r '.[] | select(.serviceArea=="Exchange") | .tcpPorts' office.txt | sort | uniq
</code>

or 

<code bash>
jq -r '.[] | select(.serviceArea=="Exchange") | .tcpPorts' office.txt  | sed 's/,/\n/'g | sort | uniq
</code>

----

===== References =====

https://docs.microsoft.com/en-us/microsoft-365/enterprise/microsoft-365-ip-web-service?view=o365-worldwide

https://docs.microsoft.com/en-us/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-worldwide

https://docs.microsoft.com/en-us/microsoft-365/enterprise/microsoft-365-network-connectivity-principles?view=o365-worldwide#new-office-365-endpoint-categories