💡 Our Technical Review in summary
Summary
- Event: Microsoft Intune and Basic Mobility and Security for Microsoft 365 are expanding their network infrastructure to include Azure Front Door (AFD) endpoints.
- Timeline: These changes will take effect on or shortly after December 2, 2025.
- Context: This update is part of Microsoft’s Secure Future Initiative (SFI) aimed at improving the security and resiliency of cloud services.
Impact
- Scope: This affects organizations that restrict outbound internet traffic using firewalls, proxy servers, VPNs, or Network Security Groups (NSGs) based on specific IP address ranges or Azure service tags.
- Potential Risks: Failure to update network allowlists may result in connectivity issues for Microsoft Intune management, device enrollment, and Basic Mobility and Security features.
- Existing Endpoints: This is an additive change. You must not remove any currently configured network endpoints required for Intune or Basic Mobility and Security.
Action Required
- Identify Required Ranges: Locate the additional IP ranges within the Microsoft-provided JSON files for your specific cloud environment (Public or Government). Search specifically for the tag “AzureFrontDoor.MicrosoftSecurity”.
- Update Firewalls/Proxies: Add the new Azure Front Door IP ranges to your outbound allowlist to ensure traffic is permitted on Port 443 (HTTPS).
- Use Service Tags: If your firewall infrastructure supports Azure Service Tags, it is highly recommended to add the “AzureFrontDoor.MicrosoftSecurity” service tag to your rules to automate future updates.
- Deadline: Complete all configuration changes by December 2, 2025, to prevent service disruption.
- Internal Coordination: If you do not manage the network security perimeter, immediately forward these requirements to your Network Operations or Cybersecurity teams.
Microsoft Official Update
Service: N/A
Category: planForChange
Severity: normal
As part of Microsoft’s ongoing Secure Future Initiative (SFI), starting on or shortly after December 2, 2025, the network service endpoints for Microsoft Intune will also use the Azure Front Door IP addresses. Since Basic Mobility and Security for Microsoft 365 uses Intune infrastructure, customers may need to add Azure Front Door IP addresses, if using a firewall allowlist that allows outbound traffic based on IP addresses or Azure service tags.
Do not remove any existing network endpoints required for Basic Mobility and Security for Microsoft 365. Additional network endpoints are documented as part of the Azure Front Door and service tags information referenced in the files linked below:
- Public clouds: Download Azure IP Ranges and Service Tags – Public Cloud from Official Microsoft Download Center
- Government clouds: Download Azure IP Ranges and Service Tags – US Government Cloud from Official Microsoft Download Center
The additional ranges are those listed in the JSON files linked above and can be found by searching for “AzureFrontDoor.MicrosoftSecurity”.
[How this will affect your organization:]
If you have configured an outbound traffic policy for IP address ranges or Azure service tags for your firewalls, routers, proxy servers, client-based firewalls, VPN or network security groups, you will need to update them to include the new Azure Front Door ranges with the “AzureFrontDoor.MicrosoftSecurity” tag.
[What you need to do to prepare:]
Ensure that your firewall rules are updated and added to your firewall’s allowlist with the additional IP addresses documented under Azure Front Door by December 2, 2025.
Alternatively, you may add the service tag “AzureFrontDoor.MicrosoftSecurity” to your firewall rules to allow outbound traffic on port 443 for the addresses in the tag.
If you are not the IT admin who can make this change, notify your networking team. If you are responsible for configuring internet traffic, refer to the following documentation for more details:
If you have a helpdesk, inform them about this upcoming change. If you need additional assistance, contact Microsoft Support and refer to this message center post.
