Nota: Este artículo fue publicado originalmente en 2013 and has been comprehensively updated to reflect current Microsoft 365 and Microsoft Entra ID terminology, architecture, and best practices.
Network administrators and security teams frequently encounter DNS queries and HTTPS traffic directed to clientconfig.microsoftonline-p.net in their monitoring tools. This endpoint is part of Microsoft’s cloud service infrastructure and plays a critical role in how Microsoft 365 client applications discover and configure their connections to cloud services. This guide explains what it is, why it appears in your logs, and how to handle it in your network and security configurations.
What Is clientconfig.microsoftonline-p.net?
The endpoint clientconfig.microsoftonline-p.net is a client configuration and autodiscovery service operated by Microsoft. It provides Microsoft 365 client applications and Azure AD-integrated software with the information they need to connect to the correct service endpoints for a given tenant.
What It Provides to Clients
When a Microsoft 365 application connects to this endpoint, it receives:
| Configuración Data | Description |
|---|---|
| Service Endpoints | URLs for Exchange Online, SharePoint Online, OneDrive, Teams, and other services |
| Authentication Endpoints | The correct login and token endpoints for the user’s tenant |
| Federation Configuración | Whether the tenant uses federated authentication (ADFS/third-party IdP) |
| Tenant Discovery | Maps user domain names to specific Microsoft 365 tenant configurations |
| Client Policies | Organization-specific client configuration policies |
| Feature Flags | Enabled/disabled features and rollout configurations |
The Autodiscovery Flow
When a Microsoft 365 client application (such as Outlook or Teams) starts, it goes through an autodiscovery process:
1. User enters email address (e.g., user@contoso.com)
|
v
2. Client extracts domain (contoso.com)
|
v
3. Client queries clientconfig.microsoftonline-p.net
with the domain to discover tenant configuration
|
v
4. Service returns:
- Authentication endpoint (login.microsoftonline.com/{tenant-id})
- Federation metadata (if ADFS is configured)
- Service URLs (outlook.office365.com, etc.)
|
v
5. Client authenticates at the discovered endpoint
|
v
6. Client connects to the appropriate service endpointHow Microsoft 365 Applications Use This Endpoint
Outlook and Exchange Online
When Outlook connects to Exchange Online, it performs autodiscovery to find the correct mailbox server:
- Outlook attempts autodiscovery using the user’s email domain
- Part of this process involves querying
clientconfig.microsoftonline-p.net - The response includes the Autodiscover URL for Exchange Online (typically
https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml) - Outlook then connects to Exchange Online using the discovered configuration
You can test this autodiscovery process manually:
# Test Outlook autodiscovery (from Outlook: Ctrl+Right-click the Outlook icon in system tray > Test E-mail AutoConfiguration)
# Or use PowerShell to query the endpoint
$domain = "contoso.com"
$uri = "https://clientconfig.microsoftonline-p.net/autodiscover/autodiscoverconfig.svc"
Invoke-RestMethod -Uri "$uri`?domain=$domain" -Method GETAzure AD Connect
Azure AD Connect uses this endpoint during initial setup and ongoing operation:
- During setup, the wizard queries
clientconfig.microsoftonline-p.netto validate the tenant domain - It discovers the correct authentication and provisioning endpoints
- Ongoing sync operations reference the discovered configuration
OneDrive Sync Client
The OneDrive sync client (OneDrive.exe) queries this endpoint to:
- Discover the SharePoint Online and OneDrive for Business URLs for the user’s tenant
- Determine the correct authentication flow
- Download client configuration policies (sync restrictions, bandwidth limits)
Microsoft Teams
Teams uses this endpoint to:
- Discover the correct Teams service endpoints
- Determine tenant-specific configuration
- Check for federation settings (external communication policies)
Office Desktop Applications
Word, Excel, PowerPoint, and other Office applications query this endpoint when:
- A user signs into their Microsoft 365 account
- The application needs to save or open files from OneDrive/SharePoint
- Co-authoring sessions are initiated
The microsoftonline-p.net Domain Explained
The microsoftonline-p.net domain is separate from the better-known microsoftonline.com domain. Both are Microsoft-owned, but they serve different roles in the Microsoft 365 infrastructure.
Domain Comparison
| Domain | Primary Role | Common Endpoints |
|---|---|---|
microsoftonline.com | Authentication and administration | login.microsoftonline.com, adminwebservice.microsoftonline.com |
microsoftonline-p.net | Client configuration and provisioning | clientconfig.microsoftonline-p.net, provisioningapi.microsoftonline-p.net |
microsoft.com | General Microsoft services | graph.microsoft.com, login.microsoft.com |
office.com | Office web applications | www.office.com, portal.office.com |
office365.com | Office 365 services | outlook.office365.com |
The -p suffix historically indicated the “provisioning” or “partner” tier of Microsoft’s cloud infrastructure. While the naming convention is a legacy artifact, the domain remains actively used.
DNS Resolution
You can verify the legitimacy of this domain by checking its DNS records:
# Resolve the endpoint
Resolve-DnsName clientconfig.microsoftonline-p.net
# Check WHOIS information
# The domain is registered to Microsoft Corporation
# Verify the IP range belongs to Microsoft
# Microsoft's IP ranges are published at:
# https://www.microsoft.com/en-us/download/details.aspx?id=56519Network and Firewall Configuración
Required Endpoints
For Microsoft 365 client applications to function properly, the following endpoints must be accessible:
| Endpoint | Port | Protocol | Category |
|---|---|---|---|
clientconfig.microsoftonline-p.net | 443 | HTTPS | Client configuration |
login.microsoftonline.com | 443 | HTTPS | Authentication |
login.microsoft.com | 443 | HTTPS | Authentication |
autodiscover-s.outlook.com | 443 | HTTPS | Exchange autodiscovery |
outlook.office365.com | 443 | HTTPS | Exchange Online |
graph.microsoft.com | 443 | HTTPS | Microsoft Graph API |
*.sharepoint.com | 443 | HTTPS | SharePoint/OneDrive |
*.teams.microsoft.com | 443 | HTTPS | Teams |
Microsoft’s Official URL List
Microsoft publishes the complete list of required endpoints for Office 365 connectivity. You can retrieve it programmatically:
# Get the current Office 365 endpoint list
$endpoints = Invoke-RestMethod -Uri "https://endpoints.office.com/endpoints/worldwide?clientrequestid=$(New-Guid)"
# Filter for required endpoints
$required = $endpoints | Where-Object { $_.required -eq $true }
# Display URLs
$required | Select-Object -ExpandProperty urls | Sort-Object -UniqueProxy Configuración
If your environment uses a web proxy:
- Allow HTTPS traffic to
*.microsoftonline-p.neton port 443 - Avoid SSL inspection on Microsoft 365 endpoints — it can break certificate pinning and cause authentication failures
- Bypass proxy authentication for these endpoints if possible
- Use Microsoft’s PAC file or configure your proxy based on the official endpoint list
Example PAC file entry:
function FindProxyForURL(url, host) {
// Direct connection for Microsoft 365 client config
if (shExpMatch(host, "*.microsoftonline-p.net") ||
shExpMatch(host, "*.microsoftonline.com") ||
shExpMatch(host, "*.office365.com") ||
shExpMatch(host, "*.outlook.com")) {
return "DIRECT";
}
return "PROXY proxy.contoso.com:8080";
}Seguridad Considerations
Legitimate vs. Suspicious Traffic
Traffic to clientconfig.microsoftonline-p.net is expected in any environment using Microsoft 365. However, monitor for:
- Excessive query volume: Could indicate a misconfigured client or a scanning tool
- Queries from non-Microsoft-365 machines: Servers or systems that should not be running Office applications
- Queries during unusual hours: May warrant investigation if they do not correspond to user activity
- Queries combined with failed authentication attempts: Could indicate credential stuffing attacks targeting Microsoft 365
DNS Seguridad
If you use DNS-based security tools (DNS filtering, DNSSEC, DNS sinkholing):
- Whitelist
*.microsoftonline-p.netto prevent false positive blocks - Ensure DNS resolution for this domain is not intercepted or modified
- If using split DNS, ensure external resolution works correctly for this domain
Conditional Access and Zero Trust
Pair endpoint access with Microsoft Entra Conditional Access policies:
- Require device compliance for Microsoft 365 access
- Enforce MFA for all users
- Use Named Locations to restrict access from trusted networks only
- Deploy Microsoft Entra Private Access for advanced Zero Trust scenarios
Solución de Problemas Client Configuración Issues
If Microsoft 365 applications fail to connect or auto-configure:
Paso 1: Verify DNS Resolution
Resolve-DnsName clientconfig.microsoftonline-p.net
# Should return A records pointing to Microsoft IP addressesPaso 2: Test HTTPS Connectivity
Test-NetConnection -ComputerName clientconfig.microsoftonline-p.net -Port 443
# TcpTestSucceeded should be TruePaso 3: Check TLS Configuración
# Verify TLS 1.2 is available (required by Microsoft)
[Net.ServicePointManager]::SecurityProtocol
# If TLS 1.2 is not listed, enable it
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12Paso 4: Check Proxy and Firewall
# Check system proxy settings
netsh winhttp show proxy
# Check Internet Explorer proxy settings (used by some Office apps)
Get-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings" |
Select-Object ProxyEnable, ProxyServer, ProxyOverridePaso 5: Use the Microsoft Remote Connectivity Analyzer
Microsoft provides an online tool to test Office 365 connectivity:
- Navigate to
https://testconnectivity.microsoft.com - Select the appropriate test (Outlook Autodiscovery, Exchange ActiveSync, etc.)
- Enter your credentials and run the test
- Review the detailed results for endpoint connectivity issues
Resumen
The endpoint clientconfig.microsoftonline-p.net is a Microsoft-operated client configuration and autodiscovery service used by Microsoft 365 applications to discover the correct service endpoints, authentication methods, and tenant-specific settings. It appears in DNS queries and HTTPS traffic whenever Outlook, Teams, OneDrive, Office desktop applications, or Azure AD Connect communicate with the Microsoft cloud. This endpoint is required for proper Microsoft 365 functionality and should be allowed through firewalls and proxy servers. It is part of the microsoftonline-p.net domain family, which handles provisioning and configuration functions separate from the microsoftonline.com authentication domain. Monitor traffic as part of standard security practices, but do not block this endpoint as it will break Microsoft 365 client connectivity.
Artículos Relacionados
- How to: Configure filtering for directory synchronization
- How to: Delete Microsoft Online Windows Azure phantom users
- How to: Force Active Directory Synchronization for Office 365 / Windows Intune / Windows Azure
- How to: Force Password Synchronization between an onPremise Active Directory and Microsoft Online Services / Windows Azure AD