Note
We’ve renamed Microsoft Cloud App Security. It’s now called Microsoft Defender for Cloud Apps. In the coming weeks, we’ll update the screenshots and instructions here and in related pages. For more information about the change, see this announcement. To learn more about the recent renaming of Microsoft security services, see the Microsoft Ignite Security blog.
This article provides a list of ports and IP addresses you need to allow and allowlist to work with Microsoft Defender for Cloud Apps.
View your data center
Some of the requirements below depend on which data center you’re connected to.
To see which data center you’re connecting to, do the following steps:
- In the Defender for Cloud Apps portal, select the question mark icon in the menu bar. Then, select About.
- In the Defender for Cloud Apps version screen, you can see the region and the data center.
Portal access
For access to the Defender for Cloud Apps portal, add outbound port 443 for the following IP addresses and DNS names to your firewall’s allowlist:
portal.cloudappsecurity.com
*.portal.cloudappsecurity.com
cdn.cloudappsecurity.com
https://adaproddiscovery.azureedge.net
*.s-microsoft.com
*.msecnd.net
dev.virtualearth.net
*.cloudappsecurity.com
flow.microsoft.com
static2.sharepointonline.com
dc.services.visualstudio.com
*.blob.core.windows.net
For US Government GCC High customers, it’s also necessary to add the following DNS names to your firewall’s allowlist to provide access for the Defender for Cloud Apps GCC High portal:
portal.cloudappsecurity.us
*.portal.cloudappsecurity.us
cdn.cloudappsecurity.com
Additionally, the following items should be allowed, depending on which data center you use:
Data center | IP addresses | DNS name |
---|---|---|
US1 | 13.64.26.88, 13.64.29.32, 13.80.125.22, 13.91.91.243, 40.74.1.235, 40.74.6.204, 51.143.58.207, 52.137.89.147, 52.183.75.62 | *.us.portal.cloudappsecurity.com |
US2 | 13.80.125.22, 20.36.222.59, 20.36.222.60, 40.74.1.235, 40.74.6.204, 51.143.58.207, 52.137.89.147, 52.183.75.62, 52.184.165.82 | *.us2.portal.cloudappsecurity.com |
US3 | 13.80.125.22, 40.74.1.235, 40.74.6.204, 40.90.218.196, 40.90.218.198, 51.143.58.207, 52.137.89.147, 52.183.75.62 | *.us3.portal.cloudappsecurity.com |
EU1 | 13.80.125.22, 40.74.1.235, 40.74.6.204, 40.119.154.72, 51.143.58.207, 52.137.89.147, 52.157.238.58, 52.174.56.180, 52.183.75.62 | *.eu.portal.cloudappsecurity.com |
EU2 | 13.80.125.22, 40.74.1.235, 40.74.6.204, 40.81.156.154, 40.81.156.156, 51.143.58.207, 52.137.89.147, 52.183.75.62 | *.eu2.portal.cloudappsecurity.com |
Gov US1 | 13.72.19.4, 52.227.143.223 | *.us1.portal.cloudappsecurity.us |
GCC | 52.227.23.181, 52.227.180.126 | portal.cloudappsecuritygov.com , *.portal.cloudappsecuritygov.com, *.us1.portal.cloudappsecuritygov.com |
Note
Instead of a wildcard (*) you can open only your specific tenant URL, for example, based on the screenshot above you can open: mod244533.us.portal.cloudappsecurity.com
Access and session controls
Configure your firewall for reverse proxy using the settings relevant to your environment.
Commercial customers
For commercial customers, to enable Defender for Cloud Apps reverse proxy, add outbound port 443 for the following IP addresses and DNS names to your firewall’s allowlist:
*.cas.ms
*.mcas.ms
*.admin-mcas.ms
mcasproxy.azureedge.net
Additionally, the following items should be allowed, depending on which data center you use:
IP Addresses | DNS Name |
---|---|
Australia Southeast: 40.81.58.184, 40.81.58.180, 20.40.163.96, 20.40.163.88, 40.81.62.221, 40.81.62.206, 20.40.160.184, 20.40.163.130
Brazil South: 191.235.123.114, 191.235.121.164, 191.235.122.101, 191.235.119.253, 191.233.23.29, 191.234.216.181, 191.233.21.52, 191.234.216.10 Canada Central: 40.82.187.211, 40.82.187.164, 52.139.18.234, 52.139.20.118, 40.82.187.199, 40.82.187.179, 52.139.19.215, 52.139.18.236 Central India: 20.193.137.191, 20.193.137.153, 20.193.138.1, 20.193.136.234, 20.193.131.246, 20.193.131.250, 20.193.131.247, 20.193.131.248 North Europe: 52.156.205.222, 52.156.204.99, 52.155.166.50, 52.142.127.127, 52.155.181.183, 52.155.168.45, 52.156.202.7, 52.142.124.23 Southeast Asia: 40.65.170.125, 40.65.170.123, 52.139.245.40, 52.139.245.48, 40.119.203.158, 40.119.203.209, 20.184.61.67, 20.184.60.77 West Europe: 52.157.233.49, 52.157.235.27, 51.105.164.234, 51.105.164.241 UK West: 40.81.121.140, 40.81.121.135, 51.137.137.121, 51.137.137.118 East US: 104.45.170.196, 104.45.170.182, 52.151.238.5, 52.151.237.243, 104.45.170.173, 104.45.170.176, 52.224.188.157, 52.224.188.168 West US 2: 52.156.88.173, 52.149.61.128, 52.149.61.214, 52.149.63.211, 20.190.7.24, 20.190.6.224, 20.190.7.239, 20.190.7.233 |
*.mcas.ms *.admin-mcas.ms |
Australia Southeast: 40.81.63.7, 40.81.59.90, 40.81.62.222, 40.81.62.212, 20.42.228.161
Brazil South: 191.235.123.242, 191.235.122.224, 20.197.208.38, 20.197.208.36 North Europe: 40.67.251.0, 52.156.206.47, 52.155.182.49, 52.155.181.181, 20.50.64.15 West Europe: 52.157.234.222, 52.157.236.195 Southeast Asia: 40.65.170.137, 40.65.170.26, 40.119.203.98, 40.119.203.208, 20.43.132.128 UK West: 40.81.127.139, 40.81.127.25, 51.137.163.32 East US: 104.45.170.184, 104.45.170.185, 104.45.170.174, 104.45.170.127, 20.49.104.46 West US 2: 52.149.59.151, 52.156.89.175, 20.72.216.133, 20.72.216.137 |
*.access.mcas.ms *.us.access-control.cas.ms *.us2.access-control.cas.ms *.eu.access-control.cas.ms *.prod04.access-control.cas.ms *.prod05.access-control.cas.ms |
North Europe: 20.50.64.15
East US: 20.49.104.26 West US 2: 20.42.128.102 |
*.us.saml.cas.ms *.us2.saml.cas.ms *.us3.saml.cas.ms *.eu.saml.cas.ms *.eu2.saml.cas.ms |
US Government offerings
For US Government GCC High customers, to enable Defender for Cloud Apps reverse proxy, add outbound port 443 for the following DNS names to your firewall’s allowlist:
*.mcas-gov.us
*.admin-mcas-gov.us
mcasproxy.azureedge.net
Additionally, the following items should be allowed:
For US Government GCC High customers:
IP addresses | DNS name |
---|---|
US Gov Arizona: 52.244.144.65, 52.244.43.90, 52.244.43.225, 52.244.215.117
US Gov Virginia: 13.72.27.223, 13.72.27.219, 13.72.27.220, 13.72.27.222 |
*.mcas-gov.us *.admin-mcas-gov.us |
US Gov Arizona: 52.244.215.83, 52.244.212.197
US Gov Virginia: 13.72.27.216, 13.72.27.215 |
*.access.mcas-gov.us *.access.cloudappsecurity.us |
US Gov Arizona: 20.140.49.129
US Gov Virginia: 52.227.216.80 |
*.saml.cloudappsecurity.us |
For US Government GCC customers:
IP addresses | DNS name |
---|---|
US Gov Virginia: 52.245.225.0, 52.245.224.229, 52.245.224.234, 52.245.224.228 | *.mcas-gov.ms *.admin-mcas-gov.ms |
US Gov Virginia: 52.245.224.235, 52.245.224.227 | *.access.mcas-gov.ms |
US Gov Virginia: 52.227.216.80 | *.saml.cloudappsecuritygov.com |
SIEM agent connection
To enable Defender for Cloud Apps to connect to your SIEM, add outbound port 443 for the following IP addresses to your firewall’s allowlist:
Data center | IP addresses |
---|---|
US1 | 13.64.26.88, 13.64.29.32, 13.80.125.22, 13.91.91.243, 40.74.1.235, 40.74.6.204, 51.143.58.207, 52.137.89.147, 52.183.75.62 |
US2 | 13.80.125.22, 20.36.222.59, 20.36.222.60, 40.74.1.235, 40.74.6.204, 51.143.58.207, 52.137.89.147, 52.183.75.62, 52.184.165.82 |
US3 | 13.80.125.22, 40.74.1.235, 40.74.6.204, 40.90.218.196, 40.90.218.198, 51.143.58.207, 52.137.89.147, 52.183.75.62 |
EU1 | 13.80.125.22, 40.74.1.235, 40.74.6.204, 40.119.154.72, 51.143.58.207, 52.137.89.147, 52.157.238.58, 52.174.56.180, 52.183.75.62 |
EU2 | 13.80.125.22, 40.74.1.235, 40.74.6.204, 40.81.156.154, 40.81.156.156, 51.143.58.207, 52.137.89.147, 52.183.75.62 |
Gov US1 | 13.72.19.4, 52.227.143.223 |
GCC | 52.227.23.181, 52.227.180.126 |
Note
- If you didn’t specify a proxy when you set up the Defender for Cloud Apps SIEM agent, you need to allow http connections on port 80 for the URLs listed on the Azure TLS certificate changes page. This is used for checking certificate revocation status when you connect to the Defender for Cloud Apps portal.
- A genuine Microsoft Defender for Cloud Apps certificate usage is required for the SIEM agent connection.
App connector
For some third-party apps to be accessed by Defender for Cloud Apps, these IP addresses may be used. The IP addresses enable Defender for Cloud Apps to collect logs and provide access for the Defender for Cloud Apps console.
Note
You may see these IP addresses in activity logs from the vendor because Defender for Cloud Apps performs governance actions and scans from these IP addresses.
To connect to third-party apps, enable Defender for Cloud Apps to connect from these IP addresses:
Data center | IP addresses |
---|---|
US1 | 13.64.26.88, 13.64.29.32, 13.64.30.76, 13.64.30.117, 13.64.30.118, 13.64.31.116, 13.64.196.27, 13.64.198.19, 13.64.198.97, 13.64.199.41, 13.68.76.47, 13.86.176.189, 13.86.176.211, 13.91.61.249, 13.91.91.243, 13.91.98.185, 13.93.216.68, 13.93.233.42, 40.118.211.172, 104.42.54.148, 104.209.35.177, 40.83.194.192, 40.83,.194.193, 40.83.194.194, 40.83.194.195, 40.83.194.196, 40.83.194.197, 40.83.194.198, 40.83.194.199, 40.83.194.200, 40.83.194.201, 40.83.194.202, 40.83.194.203, 40.83.194.204, 40.83.194.205, 40.83.194.206, 40.83.194.207 |
US2 | 13.68.76.47, 20.36.222.59, 20.36.222.60, 40.67.152.91, 40.67.154.160, 40.67.155.146, 40.67.159.55, 40.84.2.83, 40.84.4.93, 40.84.4.119, 52.184.165.82, 52.232.224.227, 52.232.225.84, 104.42.54.148, 104.46.116.211, 104.46.116.211, 104.46.121.72, 104.46.121.72, 104.46.122.189, 104.46.122.189, 20.57.54.192, 20.57.54.193, 20.57.54.194, 20.57.54.195, 20.57.54.196, 20.57.54.197, 20.57.54.198, 20.57.54.199, 20.57.54.200, 20.57.54.201, 20.57.54.202, 20.57.54.203, 20.57.54.204, 20.57.54.205, 20.57.54.206, 20.57.54.207 |
US3 | 13.68.76.47, 40.90.218.196, 40.90.218.197, 40.90.218.198, 40.90.218.203, 40.90.220.190, 40.90.220.196, 51.143.120.236, 51.143.120.242, 104.42.54.148, 52.156.123.128, 52.156.123.129, 52.156.123.130, 52.156.123.131, 52.156.123.132, 52.156.123.133, 52.156.123.134, 52.156.123.135, 52.156.123.136, 52.156.123.137, 52.156.123.138, 52.156.123.139, 52.156.123.140, 52.156.123.141, 52.156.123.142, 52.156.123.143 |
EU1 | 13.80.22.71, 13.95.29.177, 13.95.30.46, 40.67.219.133, 40.114.217.8, 40.114.217.8, 40.115.24.65, 40.115.24.65, 40.115.25.50, 40.115.25.50, 40.119.154.72, 51.105.55.62, 51.105.179.157, 51.137.200.32, 52.157.232.110, 52.157.233.92, 52.157.233.133, 52.157.238.58, 52.157.239.110, 52.174.56.180, 20.73.240.208, 20.73.240.209, 20.73.240.210, 20.73.240.211, 20.73.240.212, 20.73.240.213, 20.73.240.214, 20.73.240.215, 20.73.240.216, 20.73.240.217, 20.73.240.218, 20.73.240.219, 20.73.240.220, 20.73.240.221, 20.73.240.222, 20.73.240.223 |
EU2 | 40.81.152.171, 40.81.152.172, 40.81.156.153, 40.81.156.154, 40.81.156.155, 40.81.156.156, 51.105.55.62, 51.137.200.32, 51.145.108.227, 51.145.108.250, 20.58.119.224, 20.58.119.225, 20.58.119.226, 20.58.119.227, 20.58.119.228, 20.58.119.229, 20.58.119.230, 20.58.119.231, 20.58.119.232, 20.58.119.233, 20.58.119.234, 20.58.119.235, 20.58.119.236, 20.58.119.237, 20.58.119.238, 20.58.119.239 |
Gov US1 | 52.227.138.248, 52.227.142.192, 52.227.143.223 |
GCC | 52.227.23.181, 52.227.180.126 |
Third-party DLP integration
To enable Defender for Cloud Apps to send data through your stunnel to your ICAP server, open your DMZ firewall to these IP addresses with a dynamic source port number.
- Source addresses – These addresses should be allowed as listed above for API connector third-party apps
- Source TCP port – Dynamic
- Destination address(es) – One or two IP address of the stunnel connected to the external ICAP server
- Destination TCP port – As defined in your network
Note
- By default the stunnel port number is set to 11344. You can change it to another port if necessary, but be sure to make note of the new port number.
- You may see these IP addresses in activity logs from the vendor because Defender for Cloud Apps performs governance actions and scans from these IP addresses.
To connect to third-party apps and integrate with external DLP solutions, enable Defender for Cloud Apps to connect from these IP addresses:
Data center | IP addresses |
---|---|
US1 | 13.64.26.88, 13.64.29.32, 13.64.30.76, 13.64.30.117, 13.64.30.118, 13.64.31.116, 13.64.196.27, 13.64.198.19, 13.64.198.97, 13.64.199.41, 13.86.176.189, 13.86.176.211, 13.91.61.249, 13.91.91.243, 13.91.98.185, 13.93.216.68, 13.93.233.42, 40.118.211.172, 104.209.35.177 |
US2 | 20.36.222.59, 20.36.222.60, 40.67.152.91, 40.67.154.160, 40.67.155.146, 40.67.159.55, 40.84.2.83, 40.84.4.93, 40.84.4.119, 52.184.165.82, 52.232.224.227, 52.232.225.84, 104.46.116.211, 104.46.116.211, 104.46.121.72, 104.46.121.72, 104.46.122.189, 104.46.122.189 |
US3 | 40.90.218.196, 40.90.218.197, 40.90.218.198, 40.90.218.203, 40.90.220.190, 40.90.220.196, 51.143.120.236, 51.143.120.242 |
EU1 | 13.80.22.71, 13.95.29.177, 13.95.30.46, 40.67.219.133, 40.114.217.8, 40.114.217.8, 40.115.24.65, 40.115.24.65, 40.115.25.50, 40.119.154.72, 51.105.179.157, 52.157.232.110, 52.157.233.92, 52.157.233.133, 52.157.238.58, 52.157.239.110, 52.174.56.180 |
EU2 | 40.81.152.171, 40.81.152.172, 40.81.156.153, 40.81.156.154, 40.81.156.155, 40.81.156.156, 51.145.108.227, 51.145.108.250 |
Mail server
To enable notifications to be sent from the default template and settings, add these IP addresses to your anti-spam allowlist. The Defender for Cloud Apps dedicated email IP addresses are:
- 65.55.234.192/26
- 207.46.50.192/26
- 65.55.52.224/27
- 94.245.112.0/27
- 111.221.26.0/27
- 207.46.200.0/27
If you want to customize the email sender identity, Microsoft Defender for Cloud Apps enables customization by using MailChimp®, a third-party email service. To make it work, in the Microsoft Defender for Cloud Apps portal, go to Settings. Select Mail settings and review MailChimp’s Terms of Service and Privacy Statement. Then, give Microsoft permission to use MailChimp on your behalf.
If you don’t customize the sender identity, your email notifications will be sent using all the default settings.
To work with MailChimp, add this IP address to your anti-spam allowlist to enable notifications to be sent: 198.2.134.139 (mail1.cloudappsecurity.com
)
Log collector
To enable Cloud Discovery features using a log collector and detect Shadow IT in your organization, open the following items:
- Allow the log collector to receive inbound FTP and Syslog traffic as configured for the data sources.
- Allow the log collector to initiate outbound traffic to the Defender for Cloud Apps portal (for example
contoso.cloudappsecurity.com
) on port 443 and access to port 53 (DNS services). - Allow the log collector to initiate outbound traffic to the Azure blob storage on port 443:
Note
- If your firewall requires a static IP address access list and does not support allowing based on URL, allow the log collector to initiate outbound traffic to the Microsoft Azure datacenter IP ranges on port 443.
- If you didn’t specify a proxy when you set up the log collector, you need to allow http connections on port 80 for the URLs listed on the Azure TLS certificate changes page. This is used for checking certificate revocation status when you connect to the Defender for Cloud Apps portal.