IP Subnets used by Azure ATP

New Contributor

We can't create firewall rules with the recommended *.atp.com DNS records, because our firewall doesn't support DNS names in firewall rules.  What are the IP Subnets used by Azure ATP?

12 Replies

Hi Ryan,

We dont list the IPs / Subnets because its a cloud service and could use many different ips or subnets.  if you cant use DNS the recommend option is to allow HTTPS outbound.

I appreciate the response, but can't really accept that answer.  Suggesting that we allow broader access than needed, because we are working with a cloud service doesn't make sense to me.  Most other Azure and Office 365 services provide a list of subnets, because they recognize that DNS doesn't work in firewall rules for all customers.  

 

Microsoft's best practices recommends limiting connectivity for domain controllers.  Suggesting that we just allow all outbound https connectivity goes against that recommendation and will not work for us. What is the best way to escalate further, so we can get a list of Subnets used? 

Ryan, Can you give some example links of other Azure services that provided IP Subnet lists?

Why wouldn't the IPs be published through the existing REST service?

 

https://docs.microsoft.com/en-us/office365/enterprise/office-365-ip-web-service

I think this service is only for Office, AATP is not part of Office.

but it's a good example.

Adding @Itay Argoety from product to consider this example. 

Ok, well to redirect the question, if the Office 365 product groups can manage the publishing of IP ranges, why can't the Azure product groups?

 

Also as a customer the Office/Azure distinction doesn't fly, because Azure ATP is part of EM+S E5, an add-on to O365 and part of M365 that is heavily promoted to O365/M365 customers and is available for purchase through the O365 admin portal.

it does makes sense, that's why I added someone from product to consider it.

(Not sure if the implementation should be on the same shared list or a separate list though, there are many considerations to this).

You can have a look over here

The agents can also work over Azure Express Route. So they do use the published IP addresses.

https://www.microsoft.com/en-us/download/details.aspx?id=41653

 

Those are for all Azure IPS.

I thought you were interested specifically on the IPs that AATP is using...

@Eli Ofek Any updates regarding the AATP IP addresses?

@Stephan Mey  Are you asking now because you already know it just got published? :)

We now support Service Tags, the IP ranges are in this file:

download the service tags

 

look inside for AzureAdvancedThreatProtection.

Note: I believe the IP ranges might change over time, this is support for service tags, which are automatically updated when you use them.

@Ryan Marchant @Eli Ofek 

 

Download the Public IP in JSON format and find what you need athttps://www.microsoft.com/en-us/download/details.aspx?id=56519 

 

Here is the data for TAG AzureAdvancedThreatProtection , the IP infor you are looking for 

 

I got ServiceTags_Public_20200413.json version and I notice many IP adress blocks and no region is yet defined on the list Microsoft is providing 

 

{
"name": "AzureAdvancedThreatProtection",
"id": "AzureAdvancedThreatProtection",
"properties": {
"changeNumber": 2,
"region": "",
"platform": "Azure",
"systemService": "AzureAdvancedThreatProtection",
"addressPrefixes": [
"13.72.105.31/32",
"13.72.105.76/32",
"13.93.176.195/32",
"13.93.176.215/32",
"20.36.120.112/29",
"20.37.64.112/29",
"20.37.156.192/29",
"20.37.195.8/29",
"20.37.224.112/29",
"20.38.84.96/29",
"20.38.136.112/29",
"20.39.11.16/29",
"20.41.4.96/29",
"20.41.65.128/29",
"20.41.192.112/29",
"20.42.4.192/29",
"20.42.129.176/29",
"20.42.224.112/29",
"20.43.41.144/29",
"20.43.65.136/29",
"20.43.130.88/29",
"20.45.112.112/29",
"20.45.192.112/29",
"20.150.160.112/29",
"20.184.13.55/32",
"20.184.14.129/32",
"20.189.106.120/29",
"20.192.160.24/29",
"20.192.225.16/29",
"40.65.107.78/32",
"40.65.111.206/32",
"40.67.48.112/29",
"40.74.30.96/29",
"40.80.56.112/29",
"40.80.168.112/29",
"40.80.188.16/29",
"40.82.253.64/29",
"40.85.133.119/32",
"40.85.133.178/32",
"40.87.44.77/32",
"40.87.45.222/32",
"40.89.16.112/29",
"40.119.9.224/29",
"51.104.25.144/29",
"51.105.80.112/29",
"51.105.88.112/29",
"51.107.48.112/29",
"51.107.144.112/29",
"51.120.40.112/29",
"51.120.224.112/29",
"51.137.161.128/29",
"51.143.183.3/32",
"51.143.183.52/32",
"51.143.192.112/29",
"52.136.48.112/29",
"52.140.104.112/29",
"52.150.139.64/29",
"52.170.0.116/32",
"52.170.1.228/32",
"52.170.249.197/32",
"52.174.66.179/32",
"52.174.66.180/32",
"52.225.176.98/32",
"52.225.181.34/32",
"52.225.183.206/32",
"52.228.81.128/29",
"104.42.25.10/32",
"104.42.29.8/32",
"168.63.46.233/32",
"168.63.46.241/32",
"191.233.8.24/29",
"191.235.225.136/29"
]
}
},

www.000webhost.com