ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Lock down Microsoft Office 365 to IP address ranges


Article ID: 178492


Updated On:






To restrict the flow of email between your Office 365 organization and the service, set up connectors in Exchange Online or Exchange Online Protection (EOP) to use only the IP address range.

To specify multiple IP addresses, use Classless Inter-Domain Routing (CIDR) ranges in the format nnn.nnn.nnn.nnn/rr, where rr is a number from 24 to 32.

Note: By configuring the connector in this manner, any email that does not originate from IP address ranges will be rejected.

To require that all email is sent from a specific IP address range

  1. In Office 365, click Admin > Exchange to go to the Exchange Admin Center.
  2. Click mail flow.
  3. Click connectors.
  4. Click the plus symbol (+) to create a new connector.
  5. On the first screen, choose the following options:
    • From: Partner organization
    • To: Office 365
  6. Click Next.
  7. Under How to you want to identify the partner organization, select Use the sender's IP address..
  8. Check Reject email messages if they aren't from within this IP address range.
  9. Click the plus symbol (+).
  10. In the add ip address dialog box, enter the IP address ranges, in CIDR notation, as shown in Table 1.
  11. Click the plus symbol (+) again to enter additional IP address ranges, in CIDR notation, until you have entered all IP address ranges in Table 1.

IPV4 IP addresses and Classless Inter-Domain Routing (CIDR)

IPV4 IP addresses must be specified in the format nnn.nnn.nnn.nnn, where nnn is a number from 0 to 255.

You can also specify Classless Inter-Domain Routing (CIDR) ranges in the format nnn.nnn.nnn.nnn/rr, where rr is a number from 24 to 32, as shown in Table 1. To help you with this, we have provided all IP address ranges up to /24 for each region below.

Table 1 IP address ranges to /24 - All regions




Creating connectors using a PowerShell script

To speed up the process of entering IP addresses, you can use the following PowerShell script.



    This script contains all IP address ranges converted to a Classless Inter-Domain Routing (CIDR) range of IP addresses to /24, allowing for quick entry into Office 365.

    Note: Office 365 allows CIDR ranges from /24 to /32.

    This script creates a new connector for Office 365 that is restricted to IP addresses based on

    The connector is named " IP Address Ranges".

    - When prompted for a username and password, enter your Office 365 admin credentials.
    - New connectors will be disabled by default.


Set-ExecutionPolicy RemoteSigned -Force

$UserCredential = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri -Credential $UserCredential -Authentication Basic -AllowRedirection
Import-PSSession $Session

New-InboundConnector -Enable $False -Name " IP Address Ranges" -SenderDomains *  -RestrictDomainsToIPAddresses $true  -RequireTls  $false -SenderIPAddresses,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,

Remove-PSSession $Session


Additional information

See Configure mail flow using connectors in Office 365 at for more information.

See Set up connectors for secure mail flow with a partner organization at for more information.

See Additional considerations when configuring IP Allow lists at to specify ranges outside of the 24 to 32 range.