Staff

Technical Tip: Changes with Microsoft Intune IP addresses in ISDB object

Forum|Forum|7 months ago
October 10, 2025
0 replies
3489 views

Description

This article explains the change that needs to be made on the FortiGate for communication towards Microsoft Intune using the ISDB objects.

Scope

FortiGate ISDB objects.

Solution

Microsoft has announced that the network service endpoints for Microsoft Intune will use Azure Front Door IP addresses from December 2nd of 2025. Currently, FortiGate has an ISDB object 'Microsoft-Intune' which can be used in policy to control the communication towards Microsoft Intune services.

After the changes in Microsoft, ISDB in FortiGate must also track the new Azure Front Door ranges with the 'AzureFrontDoor.MicrosoftSecurity' tag. A new ISDB object 'Microsoft-Azure.Front.Door.MicrosoftSecurity' is created to cover the IP ranges under the service tag 'AzureFrontDoor.MicrosoftSecurity'.

The administrator needs to add the newly created ISDB object 'Microsoft-Azure.Front.Door.MicrosoftSecurity', along with the ISDB object 'Microsoft-Intune', in the security policy, to control the communication towards Microsoft Intune.

The ISDB object 'Microsoft-Azure.Front.Door.MicrosoftSecurity' is available only in FortiOS version 7.2 onwards.

config firewall internet-service-name
edit "Microsoft-Intune"
set internet-service-id 327886
next
edit "Microsoft-Azure.Front.Door.MicrosoftSecurity"
set internet-service-id 328080
next
end

Related documents:

Microsoft-Intune (id=327886)

Microsoft-Azure.Front.Door.MicrosoftSecurity (id=328080)

Upcoming Microsoft Intune network changes