Share via

Azure Service Tags

Peter Stieber 65 Reputation points
2026-06-23T13:18:36.4166667+00:00

Why are some Azure Firewall service tags not returned by the Azure Service Tags API?

Azure Firewall supports a wide range of service tags that can be configured in firewall policies, yet when retrieving service tags via the API:

GET https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.Network/locations/{location}/serviceTags?api-version=2025-05-01

not all of them appear in the response. For example, none of the Office 365 tags available in Azure Firewall are included:

  • Office365.Exchange.Optimize
  • Office365.Exchange.Allow.Required
  • Office365.Exchange.Allow.NotRequired
  • Office365.Skype.Optimize
  • Office365.Skype.Allow.Required
  • Office365.Skype.Allow.NotRequired
  • Office365.SharePoint.Optimize
  • Office365.Common.Allow.Required

Is this by design? Are certain Azure Firewall service tags intentionally excluded from this endpoint, and if so, where can their associated IP ranges be programmatically retrieved?

Azure Firewall
Azure Firewall

An Azure network security service that is used to protect Azure Virtual Network resources.

0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Thanmayi Godithi 10,820 Reputation points Microsoft External Staff Moderator
    2026-06-24T04:58:31.6533333+00:00

    Hi Peter Stieber ,

    Yes, this is by design.

    The Microsoft.Network/serviceTags REST API returns the Azure Virtual Network service tags dataset (the same data published in the weekly Service Tags JSON download). These tags represent Azure service IP prefixes that are exposed through the Azure Service Tags platform and are documented in the Azure Service Tags overview.

    The Office 365 / Microsoft 365 tags you listed (Office365.Exchange.Optimize, Office365.Skype.Allow.Required, Office365.SharePoint.Optimize, etc.) are a special set of Azure Firewall built-in Microsoft 365 service tags, not standard Azure Service Tags returned by the Service Tags API. Azure Firewall documentation explicitly states that Azure Firewall supports:

    • Regular Azure service tags from the Virtual Network Service Tags catalog.
    • Additional tags for Microsoft 365 endpoints, categorized by product (Exchange, Skype, SharePoint, Common) and category (Optimize, Allow, etc.).

    Because these Microsoft 365 tags are Azure Firewall–specific constructs, they are not exposed through the serviceTags endpoint, which explains why they don't appear in the API response.

    How to retrieve the corresponding IP ranges

    For Microsoft 365 endpoints, Microsoft recommends using the Microsoft 365 endpoints data source rather than the Azure Service Tags API. Azure Firewall automatically maintains the underlying Microsoft 365 IP addresses and FQDNs for its built-in tags.

    For programmatic access to the underlying endpoint data, use the Microsoft 365 endpoint web service:

    These services provide the authoritative Microsoft 365 endpoint information, including IP ranges and FQDNs that Azure Firewall uses to build and maintain its Microsoft 365 service tags.

    Was this answer helpful?

    0 comments
  2. Andreas Baumgarten 132.3K Reputation points MVP Volunteer Moderator
    2026-06-23T14:24:18.5466667+00:00

    Hi @Peter Stieber ,

    here you can find all current available Azure Service Tags: Available service tags

    Unfortunately there are no dedicated Office 365 tags listed.

    (If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)

    Regards

    Andreas Baumgarten

    Was this answer helpful?

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.