research-hub/azure-firewall-rules/EntraManagedDevices.jsonc

{ "AzureCloud": [ { "name": "Intune_NW", "priority": 200, "ruleCollectionType": "FirewallPolicyFilterRuleCollection", "action": { "type": "Allow" }, "rules": [ { "ruleType": "NetworkRule", "name": "GuestAndHybridMgt", "ipProtocols": ["TCP"], "sourceIpGroups": ["{{ipAddressPool}}"], "destinationAddresses": ["GuestAndHybridManagement"], "destinationIpGroups": [], "destinationFqdns": [], "destinationPorts": ["*"] } ] }, { "name": "WindowsUpdate_App", "priority": 500, "ruleCollectionType": "FirewallPolicyFilterRuleCollection", "action": { "type": "Allow" }, "rules": [ { "ruleType": "ApplicationRule", "name": "WindowsUpdate_tag", "protocols": [ { "protocolType": "Http", "port": 80 }, { "protocolType": "Https", "port": 443 } ], "fqdnTags": ["WindowsUpdate"], "webCategories": [], "targetFqdns": [], "targetUrls": [], "terminateTLS": false, "destinationAddresses": [], "sourceIpGroups": ["{{ipAddressPool}}"] } ] }, { "name": "Intune_App", "priority": 300, "ruleCollectionType": "FirewallPolicyFilterRuleCollection", "action": { "type": "Allow" }, "rules": [ { "ruleType": "ApplicationRule", "name": "manage_microsoft_com", "protocols": [ { "protocolType": "Http", "port": 80 }, { "protocolType": "Https", "port": 443 } ], "fqdnTags": [], "webCategories": [], "targetFqdns": ["*.manage.microsoft.com", "manage.microsoft.com"], "targetUrls": [], "terminateTLS": false, "destinationAddresses": [], "sourceIpGroups": ["{{ipAddressPool}}"] }, { "ruleType": "ApplicationRule", "name": "office_config", "protocols": [ { "protocolType": "Http", "port": 80 }, { "protocolType": "Https", "port": 443 } ], "fqdnTags": [], "webCategories": [], "targetFqdns": ["config.office.com", "*.officeconfig.msocdn.com"], "targetUrls": [], "terminateTLS": false, "destinationAddresses": [], "sourceIpGroups": ["{{ipAddressPool}}"] }, { "ruleType": "ApplicationRule", "name": "graph_windows_net", "protocols": [ { "protocolType": "Http", "port": 80 }, { "protocolType": "Https", "port": 443 } ], "fqdnTags": [], "webCategories": [], "targetFqdns": ["graph.windows.net"], "targetUrls": [], "terminateTLS": false, "destinationAddresses": [], "sourceIpGroups": ["{{ipAddressPool}}"] }, { "ruleType": "ApplicationRule", "name": "enterprise_reg", "protocols": [ { "protocolType": "Http", "port": 80 }, { "protocolType": "Https", "port": 443 } ], "fqdnTags": [], "webCategories": [], "targetFqdns": [ "enterpriseregistration.windows.net", "EnterpriseEnrollment.manage.microsoft.com" ], "targetUrls": [], "terminateTLS": false, "destinationAddresses": [], "sourceIpGroups": ["{{ipAddressPool}}"] }, { "ruleType": "ApplicationRule", "name": "Scripts_Win32_Apps", "protocols": [ { "protocolType": "Http", "port": 80 }, { "protocolType": "Https", "port": 443 } ], "fqdnTags": [], "webCategories": [], "targetFqdns": [ "swda01-mscdn.azureedge.net", "swda02-mscdn.azureedge.net", "swdb01-mscdn.azureedge.net", "swdb02-mscdn.azureedge.net", "swdc01-mscdn.azureedge.net", "swdc02-mscdn.azureedge.net", "swdd01-mscdn.azureedge.net", "swdd02-mscdn.azureedge.net", "swdin01-mscdn.azureedge.net", "swdin02-mscdn.azureedge.net" ], "targetUrls": [], "terminateTLS": false, "destinationAddresses": [], "sourceIpGroups": ["{{ipAddressPool}}"] } ] }, // TODO: Advanced: Add PowerShell and Win32 Apps URLs, by geography // https://learn.microsoft.com/en-us/mem/intune/fundamentals/intune-endpoints?tabs=north-america#network-requirements-for-powershell-scripts-and-win32-apps // TODO: Advanced: Health Attestation Service URLs, by geography // https://learn.microsoft.com/en-us/mem/intune/fundamentals/intune-endpoints?tabs=north-america#migrating-device-health-attestation-compliance-policies-to-microsoft-azure-attestation { "name": "Entra_ID_NW", "priority": 250, "ruleCollectionType": "FirewallPolicyFilterRuleCollection", "action": { "type": "Allow" }, "rules": [ { "ruleType": "NetworkRule", "name": "Entra_ID_Tag", "ipProtocols": ["TCP"], "sourceIpGroups": ["{{ipAddressPool}}"], "destinationAddresses": ["AzureActiveDirectory"], "destinationIpGroups": [], "destinationFqdns": [], "destinationPorts": ["80", "443"] }, { "ruleType": "NetworkRule", "name": "Entra_ID_metadata", "ipProtocols": ["TCP"], "sourceIpGroups": ["{{ipAddressPool}}"], "destinationAddresses": ["169.254.169.254"], "destinationIpGroups": [], "destinationFqdns": [], "destinationPorts": ["80", "443"] } ] }, { "name": "Entra_ID_App", "priority": 260, "ruleCollectionType": "FirewallPolicyFilterRuleCollection", "action": { "type": "Allow" }, "rules": [ { "ruleType": "ApplicationRule", "name": "MS_Graph", "protocols": [ { "protocolType": "Http", "port": 80 }, { "protocolType": "Https", "port": 443 } ], "fqdnTags": [], "webCategories": [], "targetFqdns": ["graph.windows.net"], "targetUrls": [], "terminateTLS": false, "destinationAddresses": [], "sourceIpGroups": ["{{ipAddressPool}}"] }, { "ruleType": "ApplicationRule", "name": "manage_azure_com", "protocols": [ { "protocolType": "Http", "port": 80 }, { "protocolType": "Https", "port": 443 } ], "fqdnTags": [], "webCategories": [], "targetFqdns": ["manage.azure.com"], "targetUrls": [], "terminateTLS": false, "destinationAddresses": [], "sourceIpGroups": ["{{ipAddressPool}}"] }, { "ruleType": "ApplicationRule", "name": "Entra_ID_CDN", "protocols": [ { "protocolType": "Http", "port": 80 }, { "protocolType": "Https", "port": 443 } ], "fqdnTags": [], "webCategories": [], "targetFqdns": [ "aadcdn.msauth.net", "aadcdn.msftauth.net", "ajax.aspnetcdn.com", "aadcdn.msauthimages.net" ], "targetUrls": [], "terminateTLS": false, "sourceIpGroups": ["{{ipAddressPool}}"] }, { "ruleType": "ApplicationRule", "name": "Entra_ID_Login", "protocols": [ { "protocolType": "Http", "port": 80 }, { "protocolType": "Https", "port": 443 } ], "fqdnTags": [], "webCategories": [], "targetFqdns": [ "login.microsoftonline.com", "login.windows.net", "login.microsoft.com" ], "targetUrls": [], "terminateTLS": false, "sourceIpGroups": ["{{ipAddressPool}}"] }, { "ruleType": "ApplicationRule", "name": "rbac_flow", "protocols": [ { "protocolType": "Http", "port": 80 }, { "protocolType": "Https", "port": 443 } ], "fqdnTags": [], "webCategories": [], // https://learn.microsoft.com/entra/identity/devices/howto-vm-sign-in-azure-ad-windows#network-requirements "targetFqdns": ["pas.windows.net"], "targetUrls": [], "terminateTLS": false, "sourceIpGroups": ["{{ipAddressPool}}"] } ] } ], "AzureUSGovernment": [ { "name": "Intune_NW", "priority": 200, "ruleCollectionType": "FirewallPolicyFilterRuleCollection", "action": { "type": "Allow" }, "rules": [ { "ruleType": "NetworkRule", "name": "GuestAndHybridMgt", "ipProtocols": ["TCP"], "sourceIpGroups": ["{{ipAddressPool}}"], "destinationAddresses": ["GuestAndHybridManagement"], "destinationIpGroups": [], "destinationFqdns": [], "destinationPorts": ["*"] } ] }, { "name": "WindowsUpdate_App", "priority": 500, "ruleCollectionType": "FirewallPolicyFilterRuleCollection", "action": { "type": "Allow" }, "rules": [ { "ruleType": "ApplicationRule", "name": "WindowsUpdate_tag", "protocols": [ { "protocolType": "Http", "port": 80 }, { "protocolType": "Https", "port": 443 } ], "fqdnTags": ["WindowsUpdate"], "webCategories": [], "targetFqdns": [], "targetUrls": [], "terminateTLS": false, "sourceIpGroups": ["{{ipAddressPool}}"] } ] }, { "name": "Intune_App", "priority": 300, "ruleCollectionType": "FirewallPolicyFilterRuleCollection", "action": { "type": "Allow" }, "rules": [ { "ruleType": "ApplicationRule", "name": "manage_microsoft_us", "protocols": [ { "protocolType": "Http", "port": 80 }, { "protocolType": "Https", "port": 443 } ], "fqdnTags": [], "webCategories": [], "targetFqdns": ["*.manage.microsoft.us", "manage.microsoft.us"], "targetUrls": [], "terminateTLS": false, "sourceIpGroups": ["{{ipAddressPool}}"] }, { "ruleType": "ApplicationRule", "name": "office_config", "protocols": [ { "protocolType": "Http", "port": 80 }, { "protocolType": "Https", "port": 443 } ], "fqdnTags": [], "webCategories": [], "targetFqdns": ["config.office.com", "*.officeconfig.msocdn.com"], "targetUrls": [], "terminateTLS": false, "sourceIpGroups": ["{{ipAddressPool}}"] }, { "ruleType": "ApplicationRule", "name": "MS_Graph", "protocols": [ { "protocolType": "Http", "port": 80 }, { "protocolType": "Https", "port": 443 } ], "fqdnTags": [], "webCategories": [], "targetFqdns": ["graph.windows.us"], "targetUrls": [], "terminateTLS": false, "sourceIpGroups": ["{{ipAddressPool}}"] }, { "ruleType": "ApplicationRule", "name": "enterprise_reg", "protocols": [ { "protocolType": "Http", "port": 80 }, { "protocolType": "Https", "port": 443 } ], "fqdnTags": [], "webCategories": [], "targetFqdns": ["enterpriseregistration.microsoftonline.us"], "targetUrls": [], "terminateTLS": false, "sourceIpGroups": ["{{ipAddressPool}}"] }, { "ruleType": "ApplicationRule", "name": "Scripts_Win32_Apps", "protocols": [ { "protocolType": "Http", "port": 80 }, { "protocolType": "Https", "port": 443 } ], "fqdnTags": [], "webCategories": [], "targetFqdns": [ "sovereignprodimedatapri.azureedge.net", "sovereignprodimedatasec.azureedge.net", "sovereignprodimedatahotfix.azureedge.net" ], "targetUrls": [], "terminateTLS": false, "sourceIpGroups": ["{{ipAddressPool}}"] } ] }, { "name": "Entra_ID_NW", "priority": 250, "ruleCollectionType": "FirewallPolicyFilterRuleCollection", "action": { "type": "Allow" }, "rules": [ { "ruleType": "NetworkRule", "name": "EntraID_Tag", "ipProtocols": ["TCP"], "sourceIpGroups": ["{{ipAddressPool}}"], "destinationAddresses": ["AzureActiveDirectory"], "destinationIpGroups": [], "destinationFqdns": [], "destinationPorts": ["80", "443"] }, // TODO: This rule should move to the AzurePlatform rules collection // TODO: This rule shouldn't go through the firewall as it's not a routable IP { "ruleType": "NetworkRule", "name": "Entra_ID_metadata", "ipProtocols": ["TCP"], "sourceIpGroups": ["{{ipAddressPool}}"], "destinationAddresses": ["169.254.169.254"], "destinationIpGroups": [], "destinationFqdns": [], "destinationPorts": ["80", "443"] } ] }, { "name": "Entra_ID_App", "priority": 260, "ruleCollectionType": "FirewallPolicyFilterRuleCollection", "action": { "type": "Allow" }, "rules": [ { "ruleType": "ApplicationRule", "name": "MS_Graph", "protocols": [ { "protocolType": "Http", "port": 80 }, { "protocolType": "Https", "port": 443 } ], "fqdnTags": [], "webCategories": [], "targetFqdns": [ "graph.windows.us", "graph.microsoft.us", "graph.microsoftazure.us" ], "targetUrls": [], "terminateTLS": false, "sourceIpGroups": ["{{ipAddressPool}}"] }, { "ruleType": "ApplicationRule", "name": "manage_azure_com", "protocols": [ { "protocolType": "Http", "port": 80 }, { "protocolType": "Https", "port": 443 } ], "fqdnTags": [], "webCategories": [], "targetFqdns": ["manage.usgovcloudapi.net"], "targetUrls": [], "terminateTLS": false, "sourceIpGroups": ["{{ipAddressPool}}"] }, { "ruleType": "ApplicationRule", "name": "Entra_ID_CDN", "protocols": [ { "protocolType": "Http", "port": 80 }, { "protocolType": "Https", "port": 443 } ], "fqdnTags": [], "webCategories": [], "targetFqdns": [ "aadcdn.msftauth.net", "aadcdn.msftauthimages.us", "*.msauth.net", "*.msauthimages.us" ], "targetUrls": [], "terminateTLS": false, "sourceIpGroups": ["{{ipAddressPool}}"] }, { "ruleType": "ApplicationRule", "name": "Entra_ID_Login", "protocols": [ { "protocolType": "Http", "port": 80 }, { "protocolType": "Https", "port": 443 } ], "fqdnTags": [], "webCategories": [], "targetFqdns": [ "login.microsoftonline.us", "autologon.microsoft.us", "login.windows.us" ], "targetUrls": [], "terminateTLS": false, "sourceIpGroups": ["{{ipAddressPool}}"] }, { "ruleType": "ApplicationRule", // https://learn.microsoft.com/entra/identity/devices/howto-vm-sign-in-azure-ad-windows#network-requirements "name": "rbac_flow", "protocols": [ { "protocolType": "Http", "port": 80 }, { "protocolType": "Https", "port": 443 } ], "fqdnTags": [], "webCategories": [], "targetFqdns": ["pasff.usgovcloudapi.net"], "targetUrls": [], "terminateTLS": false, "sourceIpGroups": ["{{ipAddressPool}}"] } ] } ] }

research-hub/azure-firewall-rules/EntraManagedDevices.jsonc (662 lines of code) (raw):