The following information is a technical reference on the required ports and protocols for implementing a hybrid Azure identity solution. Use the following illustration and refer to the corresponding table if you ever need to know which ports and protocols to open on a firewall.
Protocol
Ports
Description
DNS
53 (TCP/UDP)
DNS lookups on the destination forest.
Kerberos
88 (TCP/UDP)
Kerberos authentication to the AD forest.
MS-RPC
135 (TCP)
Used during the initial configuration of the Azure AD Connect wizard when it binds to the AD forest, and also during Password synchronization.
LDAP
389 (TCP/UDP)
Used for data import from AD. Data is encrypted with Kerberos Sign & Seal.
SMB
445 (TCP)
Used by Seamless SSO to create a computer account in the AD forest.
LDAP/SSL
636 (TCP/UDP)
Used for data import from AD. The data transfer is signed and encrypted. Only used if you are using TLS.
RPC
49152- 65535 (Random high RPC Port)(TCP)
Used during the initial configuration of Azure AD Connect when it binds to the AD forests, and during Password synchronization.
WinRM
5985 (TCP)
Only used if you are installing AD FS with gMSA by Azure AD Connect Wizard
AD DS Web Services
9389 (TCP)
Only used if you are installing AD FS with gMSA by Azure AD Connect Wizard
Azure AD Connect and On-premises AD
The next section describes the ports and protocols that are required for communication between the Azure AD Connect server and on-premises AD.
Azure AD Connect and Azure AD
The section below describes the ports and protocols that are required for communication between the Azure AD Connect server and Azure AD.
Protocol
Ports
Description
HTTP
80 (TCP)
Used to download CRLs (Certificate Revocation Lists) to verify TLS/SSL certificates.
HTTPS
443(TCP)
Used to synchronize with Azure AD.
For a list of URLs and IP addresses you need to open in your firewall.
Azure AD Connect and AD FS Federation Servers/WAP
The below describes the ports and protocols that are required for communication between the Azure AD Connect server and AD FS Federation/WAP servers.
Protocol
Ports
Description
HTTP
80 (TCP)
Used to download CRLs (Certificate Revocation Lists) to verify TLS/SSL certificates.
HTTPS
443(TCP)
Used to synchronize with Azure AD.
WinRM
5985
WinRM Listener
WAP and Federation Servers
The below describes the ports and protocols that are required for communication between the Federation servers and WAP servers.
Protocol
Ports
Description
HTTPS
443(TCP)
Used for authentication.
WAP and Users
The follwoing describes the ports and protocols that are required for communication between users and the WAP servers.
Protocol
Ports
Description
HTTPS
443(TCP)
Used for device authentication.
TCP
49443 (TCP)
Used for certificate authentication.
Pass-through Authentication with Single Sign On (SSO) and Password Hash Sync with Single Sign On (SSO)
The following describes the ports and protocols that are required for communication between the Azure AD Connect and Azure AD.
Pass-through Authentication with SSO
Protocol
Port Number
Description
HTTP
80
Enable outbound HTTP traffic for security validation such as SSL. Also needed for the connector auto-update capability to function properly.
HTTPS
443
Enable outbound HTTPS traffic for operations such as enabling and disabling of the feature, registering connectors, downloading connector updates, and handling all user sign-in requests.
In addition, Azure AD Connect needs to be able to make direct IP connections to the Azure data center IP ranges.
Password Hash Sync with SSO
Protocol
Port Number
Description
HTTPS
443
Enable SSO registration (required only for the SSO registration process).
In addition, Azure AD Connect needs to be able to make direct IP connections to the Azure data center IP ranges. Again, this is only required for the SSO registration process.
Azure AD Connect Health agent for (AD FS/Sync) and Azure AD
The following describe the endpoints, ports, and protocols that are required for communication between Azure AD Connect Health agents and Azure AD
Ports and Protocols for Azure AD Connect Health agent for (AD FS/Sync) and Azure AD
The below describes the following outbound ports and protocols that are required for communication between the Azure AD Connect Health agents and Azure AD.
Protocol
Ports
Description
HTTPS
443(TCP)
Outbound
Azure Service Bus
5671 (TCP)
Outbound
Azure Service Bus port 5671 is no longer required for the latest version of agent. The latest Azure AD Connect Health agent version only required port 443.