Mark Minasi's Tech Forum
Register Calendar Latest Topics Chat
 
 
 


Reply
  Author   Comment  
Pieter

Avatar / Picture

Senior Member
Registered:
Posts: 142
Reply with quote  #1 
I'd like to setup Azure AD with Password Sync.

Which FQDN's (or external IP's) should be opened on our firewall for HTTP and HTTPS for our internal AD Connect Server ?

I found a list of IP's which is ridiculous long and therefore non-usable : https://www.microsoft.com/en-us/download/details.aspx?id=41653

I also found this https://docs.microsoft.com/nl-be/azure/active-directory/connect/active-directory-aadconnect-ports , but I still miss a list of FQDN's for Azure AD PW Sync.

Kind regards

__________________
Pieter Demeulemeester
0
wkasdo

Avatar / Picture

Administrator
Registered:
Posts: 183
Reply with quote  #2 
AAD connect does outbound traffic. There is nothing initiated from Azure to your network. Is that a problem?
__________________
[MSFT]; Blog: https://blogs.technet.microsoft.com/389thoughts/
0
Pieter

Avatar / Picture

Senior Member
Registered:
Posts: 142
Reply with quote  #3 

Yes. Our firewall is not configured with 'all HTTP(S) to all destinations'.

I need a firewall policy for outbound communication.
- PROTOCOLS = HTTP and HTTPS
- FROM = IP of the internal server with AAD Connect
- TO = ??? 

For the TO component I prefer a list of FQDN's.




__________________
Pieter Demeulemeester
0
wkasdo

Avatar / Picture

Administrator
Registered:
Posts: 183
Reply with quote  #4 
Gotcha. Because it's Friday and I was a bit bored anyway I had a look. The page you quoted above references an XML with the required information. If I understand it correctly you need the O365 and Identity sections. This should do it:

Code:

$o365sites = Invoke-WebRequest -Uri "https://support.content.office.net/en-us/static/O365IPAddresses.xml"
$xml = [xml] $o365sites.Content
$xml.products.product | 
    where-Object { ($_.name -eq "identity") -or ($_.name -eq "o365") } | 
    Select-Object -expandproperty addresslist | 
    Where-Object type -eq "url" | 
    Select-Object -ExpandProperty address |
    Sort-Object -Unique

Partial output:

Quote:

*.aadrm.com
*.activedirectory.windowsazure.com
*.adhybridhealth.azure.com
*.azurerms.com
*.blob.core.windows.net
*.cloudapp.net
*.glbdns.microsoft.com
*.live.com
*.microsoft.com
*.microsoftonline.com
*.microsoftonline-p.com
*.microsoftonline-p.net
*.msecnd.net
*.msedge.net
[...]

Let me know if this works for you. Currently I don't have a good way to test this myself.


__________________
[MSFT]; Blog: https://blogs.technet.microsoft.com/389thoughts/
0
Previous Topic | Next Topic
Print
Reply

Quick Navigation:

Easily create a Forum Website with Website Toolbox.