Office 365 IP Addresses, Proxy’s, PAC files and PowerShell

If you have, or are planning to, roll out Office 365 it is likely that the matter of Web Proxy exclusions and bypass have been necessary to work through.

Microsoft have a number of technotes on the subject as well as the detailed overview about Office 365 endpoints and associated ports. This page also includes a link to the XML file it publishes containing all of the information about the Office 365 services and the lists of URLs, IPv4 and IPv6 addresses for each of them.

This XML file is intended for inclusion by Proxy services to allow them to handle traffic to Office 365 and route it directly where possible and most newer services will have support for this and other cloud services.

However, you may have complex internal to external routing and need to know the specifics of what is in the XML file. Sure you could review the web page and copy it all from there but if, like me, you want an easy way to get this regularly in a structured manner, probably scripted.

Using some of my own PowerShell scripts and scripts from around the Web, it is possible to;

  • Review the contents of the XML file
  • Get individual products URL and IP’s
  • Calculate the IP ranges (v4)
  • Autobuild a PAC file
  • Monitor and alert when the XML file is updated

First, to import the XML into Powershell run the following line. If you have never navigated an  XML before, this post is useful..

[xml]$MSOLExclusions = ( New-Object System.Net.WebClient ).DownloadString( "" )

Once the file is imported, you can review the content or parse certain strings out to other files and commands… For example, using dot notation, get the last updated date. If you start to build a more complex script this can be useful to know.

[datetime]$lastUpdated = $MSOLExclusions.products.updated

Untitled picture2

To list out individual products or services, you can see the details for each.

$products = $MSOLExclusions.products.product
$products | sort name 

Untitled picture6

Most are easily identifiable from their ‘tags’ but here’s the list anyway

  • ‘CRLs’ – Certificate Revocation Links
  • ‘EOP’ – Exchange Online Protection
  • ‘EX-Fed’ – Exchange Federation
  • ‘EXO’ – Exchange online
  • ‘Identity’ – Office 365 Identity
  • ‘LYO’ – Skype for Business (formerly Lync Online)
  • ‘O365’ – Office 365 Portal and Shared
  • ‘Office365Video’ – Office 365 Video
  • ‘OfficeiPad’ – Office for iPad
  • ‘OfficeMobile’ – Office Mobile Apps
  • ‘OneNote’ – OneNote
  • ‘Planner’ – Planner
  • ‘ProPlus’ – Office 365 ProPlus
  • ‘RCA’ – Remote Connectivity Analyzer
  • ‘SPO’ – SharePoint Online
  • ‘Sway’ – Sway
  • ‘Teams’ – Microsoft Teams
  • ‘WAC’ – SharePoint WebApps
  • ‘Yammer’ – Yammer

Or perhaps you want a list of the URL’s, to add to a firewall change control request… Obviously, you would probably want to get ALL the FQDN’s for all the services, but I have limited it to Exchange Online (EXO) for this example.. We will get the full list later on as part of PAC file build script.

$EXOURLs = ( $MSOLExclusions.products.product | where{ $ -eq "EXO"} ).addresslist | where {$_.type -eq "url" }

Untitled picture

TopTip.. pipe the result to “| clip” and it will be copied to memory for pasting elsewhere !

Now we have a way to iterate through the content of the O365IPAddresses.xml file we can start to get other information.. How about the IP Addresses and Subnets for Skype for Business Online (LYO)..

$SKYPEIPS = ( $MSOLExclusions.products.product | where{ $ -eq "LYO"} ).addresslist | where {$_.type -eq "ipv4" }

There are 271 entry’s in this list just for SfBO…! (your firewall guys will be really happy !!)

Just for fun, whilst it’s not overly necessary, or useful here, expanding the subnets in PowerShell may be useful on other occasions…  Jason Wasser’s script from technet IPCALC.ps1 can certainly reveal the ranges involved in o365..!

$SKYPEIPS.address | foreach-object{ & '\IPCalc.ps1' $_ }

Untitled picture3

So, onto creating a proxy auto-config (PAC) file.. Once you have all your firewall rules in place you need to build and deploy the PAC file for your users.. I am sure most have a method for doing this, however, this script from Aaron Guilmette on Technet can build one for you…

.\Office365ProxyPac.ps1 -ProxyServer 

Untitled picture4

Lastly, you may want to know when the XML file is updated, again everyone has their own methods.. But if you would like to learn how to use Office 365 Flow to get alerts to your inbox then check out Miss Tech’s Blog post on Keeping up to date with Office 365 Changes

I hope you have found this useful. As always all code and external links are used at your own risk.

One thought on “Office 365 IP Addresses, Proxy’s, PAC files and PowerShell

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.