Azure Migrate URLs
The Azure Migrate Appliance software has a long list of domains, the Microsoft documentation very poorly describes the need for these URLs. This blog page explores the relationship between the documented requirements and the real requirements.
Note that the observed URLs below may not reflect your environment, especially the login flow.
Summary of findings;
- Most documented endpoints represent an exfiltration risk from the Appliance host. Easiest vector would be a bad actor’s Azure resources
- Wildcard domains are mostly unnecessarily broad and could be limited further
Microsoft Documented
| Documented | Finding | URL | Details | Exfiltration Risk | Comment | Safe? |
|---|---|---|---|---|---|---|
| Required | Required | *.portal.azure.com | Navigate to the Azure portal. | No | Only Requires portal.azure.com | Yesportal.azure.com |
| Required | Not Required | *.windows.net | Used for access control and identity management by Microsoft Entra ID | Yes | Yes Don’t enable |
|
| Required | Not Required | *.msftauth.net | Used for access control and identity management by Microsoft Entra ID | No | Not seen | Yes Don’t enable |
| Required | Required | *.msauth.net | Used for access control and identity management by Microsoft Entra ID | No | Used for UI elements for signing in | ? |
| Required | Partially Required | *.microsoft.com | Used for access control and identity management by Microsoft Entra ID | No | graph, developer, download |
|
| Required | Probably not Required | *.live.com | Used for access control and identity management by Microsoft Entra ID | Yes | Only used at login | Nologin.live.com Possibly only required for validation |
| Required | Required for checks | *.office.com | Used for access control and identity management by Microsoft Entra ID | Yes | Only used at login | Nowww.office.com Possibly only required for validation |
| Required | Required | *.microsoftonline.com | Used for access control and identity management by Microsoft Entra ID | No | Allows auth to non-owned tenant without Restrict-Access-To-Tenants and Restrict-Access-Context HTTP Headers |
Nologin.microsoftonline.com allows auth to non-owned tenants |
| Required | Not Required | *.microsoftonline-p.com | Used for access control and identity management by Microsoft Entra ID | No | Not observed this is only in certain flows | Yes Don’t enable |
| Required | Not Required | *.microsoftazuread-sso.com | Used for access control and identity management by Microsoft Entra ID | No | Not observed this is only in certain flows | Yes Don’t enable |
| Required | Not Required | *.cloud.microsoft | Used for access control and identity management by Microsoft Entra ID | Yes | Not observed | Yes Don’t enable |
| Required | Required | management.azure.com | Used for resource deployments and management operations | Yes | No Hard Requirement |
|
| Optional | Not Required | *.services.visualstudio.com | Upload appliance logs used for internal monitoring. | Yes | Telemetry only | Yes Don’t enable |
| Required | Required | *.vault.azure.net | Manage secrets in the Azure Key Vault. | No | May use private endpoint | Yes Restrict to known keyvault endpoints/privateendpoint |
| Optional | Required for update | aka.ms/* | Allow access to these links; used to download and install the latest updates for appliance services. | No | Needed for updates | Somewhat infiltration issue remains |
| Required | Required for update | download.microsoft.com/download | Allow downloads from Microsoft download center. | No | Needed for updates | Somewhat infiltration issue remains |
| Public Only | Required | *.servicebus.windows.net | Communication between the appliance and the Azure Migrate service. | Yes | No Unclear if Endpoints change |
|
| Private Endpoint | Required | *.discoverysrv.windowsazure.com | Connect to Azure Migrate service URLs. | No | Yes Restrict to known keyvault endpoints/privateendpoint |
|
| Private Endpoint | Required | *.migration.windowsazure.com | Connect to Azure Migrate service URLs. | No | Yes Restrict to known keyvault endpoints/privateendpoint |
|
| Private Endpoint | Required | *.hypervrecoverymanager.windowsazure.com | Used for VMware agentless migration Connect to Azure Migrate service URLs. |
No | Yes Restrict to known keyvault endpoints/privateendpoint |
|
| Optional/Private Endpoint | Not Required | *.blob.core.windows.net | Used for VMware agentless migration Upload data to storage for migration. |
Yes | can be limited point to point | Yes Restrict to known keyvault endpoints/privateendpoint |
Table for the URLS documented by Microsoft, with further annotations https://learn.microsoft.com/en-us/azure/migrate/migrate-appliance?view=migrate-classic#public-cloud-urls
Finding: Based on Empirical Observation Exfiltration Risk: Whether the Microsoft documented endpoint has known/trivial executable exfiltrations using this endpoint Safe?: Whether reasonable effort can be made to make this to a non-exfiltrating, point-to-point request.
Note that MS typically uses www.microsoft:80 for CRL but no known domains are configured for unavailability
Empirical Observations
Phase 1 - Download/Installation
| Protocol | Hostname | URL | HTTP Method |
|---|---|---|---|
| HTTPS | aka.ms | GET | |
| HTTPS | aka.ms | GET | |
| HTTPS | download.microsoft.com | GET |
Phase 2 - Appliance Configuration - Set up Pre-Requisites
During this phase the telemetry services will continue in the background, these can be blocked without any impact to your deployment
| Protocol | Hostname | URL | HTTP Method |
|---|---|---|---|
| HTTPS | dc.services.visualstudio.com | /v2/track | POST |
| HTTPS | rt.services.visualstudio.com | /QuickPulseService.svc/ping | POST |
Subphase 2a - Check connectivity to Azure + Check time is in sync with Azure
The following schemes must be open in order to proceed beyond the prequisite endpoints
| Protocol | Hostname | URL | HTTP Method |
|---|---|---|---|
| HTTPS | management.azure.com | / | GET |
| HTTPS | login.microsoftonline.com | / | GET |
| HTTPS | www.office.com | /login | GET |
| HTTPS | login.microsoftonline.com | /common/oauth2/v2.0/authorize | GET |
| HTTPS | graph.microsoft.com | / | GET |
| HTTPS | developer.microsoft.com | /graph | GET |
| HTTPS | developer.microsoft.com | /en-us/graph | GET |
| HTTPS | login.microsoftonline.com | /common/oauth2/deviceauth | GET |
| HTTPS | aka.ms | /latestapplianceservices | GET |
| HTTPS | aka.ms | /latestapplianceservices/fallback | GET |
| HTTPS | download.microsoft.com | /download/25c8f407-6a8d-4ceb-b7b8-f23f67d66269/LatestComponentsAgents.json | GET |
| HTTPS | portal.azure.com | / | GET |
| HTTPS | hypervehubns2018-11-22-14-28-46-222.servicebus.windows.net | / | GET |
Subphase 2b - Check latest updates and register appliance
Project Keys are unique PER appliance and if you attempt to reuse a project key it will throw the following error
“An error occurred as the Azure Migrate project key has already been used to register another appliance in the project-‘public-aztest’.”
| Protocol | Hostname | URL | HTTP Method | Description |
|---|---|---|---|---|
| HTTPS | discoverysrv.ae.prod.migration.windowsazure.com | //appliancerestapi/MasterSiteId/public-aztest/appliance/tomtestpubvm/getManifest?api-version=2020-11-11-preview | GET | |
| HTTPS | discoverysrv.ae.prod.migration.windowsazure.com | //appliancerestapi/MasterSiteId/121ba30d-b7e1-4b88-b1ab-6a0de196e91e/appliance/tomtestpubvm/getManifest?api-version=2020-12-12-preview | GET | |
| HTTPS | aka.ms | /latestapplianceservices | GET | URL to find the latest verion |
| HTTPS | aka.ms | /latestapplianceservices/fallback | GET | URL to find the latest verion |
| HTTPS | download.microsoft.com | /download/25c8f407-6a8d-4ceb-b7b8-f23f67d66269/LatestComponentsAgents.json | GET | URL to donwload the leatest verion |
| HTTPS | discoverysrv.ae.prod.migration.windowsazure.com | //appliancerestapi/MasterSiteId/121ba30d-b7e1-4b88-b1ab-6a0de196e91e/appliance/tomtestpubvm/getManifest?api-version=2020-12-12-preview | GET | |
| HTTPS | download.microsoft.com | /download/25c8f407-6a8d-4ceb-b7b8-f23f67d66269/LatestComponentsAgents.json | GET | URL to donwload the leatest verion |
Subphase 2c - Verification of Azure Migrate project Key + Appliance auto-update status + Azure user login and appliance registration status
| Protocol | Hostname | URL | HTTP Method | Description |
|---|---|---|---|---|
| HTTPS | login.microsoftonline.com | Various | GET, POST | Login starting point |
| HTTPS | login.live.com | /Me.htm?v=3 | GET | |
| HTTPS | aadcdn.msauth.net | GET | UI elements; js, svg | |
| HTTPS | management.azure.com | Various | GET, POST | Used to determine the endpoint for the KeyVault |
| HTTPS | /certificates | GET, POST | Sends a CSR to generate a Certificate for the SPN generation | |
| HTTPS | /secrets | GET | Used to get the KEY for the Certificate | |
| HTTPS | graph.microsoft.com | //v1.0/applications | GET | Used to check if the SPN exists |
| HTTPS | graph.microsoft.com | //v1.0/applications | POST | Used to to create the SPN with certificate auth |
| HTTPS | graph.microsoft.com | //v1.0/servicePrincipals | GET | Check if the Service Principal exists |
| HTTPS | graph.microsoft.com | //v1.0/servicePrincipals | POST | Create the ServicePrincipal |
| HTTPS | management.azure.com | /subscriptions/ |
GET, PATCH | Check and apply access to the Project Object |
| HTTPS | management.azure.com | /subscriptions/ |
GET, PATCH | Check and apply access to the Project Object |
| HTTPS | management.azure.com | /subscriptions/ |
HEAD | Ensures the RG exists |
| HTTPS | discoverysrv.ae.prod.migration.windowsazure.com | //vmwarerestapi/agents/bd52a594-86fc-42f1-aff6-a0cd78ece9ef-agent/heartbeat | POST | Determines if VMCollector is authorized or not |
| HTTPS | management.azure.com | /subscriptions/ |
PUT, GET | Creates a Microsoft.Migrate/AssessmentProjects/VMwareCollectors object with the auth details |
| HTTPS | pod01-srs1.ae.hypervrecoverymanager.windowsazure.com | /srsrestapi/subscription/vmm/IsTaskAvailable | GET | Check for jobs |
| HTTPS | management.azure.com | /subscriptions/ |
PUT, GET | Sets initial states for AzureMigrate appliances Microsoft.RecoveryServices/vaults/replicationFabrics, Microsoft.RecoveryServices/vaults/replicationFabrics/replicationRecoveryServicesProviders, Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers, Microsoft.OffAzure/VMwareSites/providers/links, Microsoft.OffAzure/VMwareSites/providers/links |
| HTTPS | management.azure.com | /subscriptions/ |
PATCH | |
| HTTPS | management.azure.com | /subscriptions/ |
PUT, GET | Microsoft.Migrate/AssessmentProjects/sqlcollectors |
| HTTPS | asmsrv.ae.prod.migration.windowsazure.com | /sqlrestapi/agents/65475489-f195-40d0-9599-b9e36759fafb/heartbeat | POST | |
| HTTPS | management.azure.com | /subscriptions/ |
PATCH | |
| HTTPS | management.azure.com | /subscriptions/ |
PUT, GET | Microsoft.Migrate/AssessmentProjects/webappcollectors |
| … | Many more implementations | … |
Subphase 3 - vCenter Settings
| Protocol | Hostname | URL | HTTP Method | Description |
|---|---|---|---|---|
| HTTPS | Various | Vcenter HTTPS endpoint |
Subphase 4 - Ongoing
| Protocol | Hostname | URL | HTTP Method | Description |
|---|---|---|---|---|
| HTTPS | discoverysrv.ae.prod.migration.windowsazure.com | //vmwarerestapi/agents/bd52a594-86fc-42f1-aff6-a0cd78ece9ef-agent/agentjobs | GET | |
| HTTPS | discoverysrv.ae.prod.migration.windowsazure.com | //sqlrestapi/agents/ff66e21f-7e01-4341-b9cc-c1ee006c5322-agent/agentjobs | GET | |
| HTTPS | server.events.data.microsoft.com | /OneCollector/1.0/ | POST | Appliance/o365 Performance data |
| HTTPS | pod01-srs1.ae.hypervrecoverymanager.windowsazure.com | /srsrestapi/subscription/vmm/IsTaskAvailable | GET |