What's Changing
As of the March 18, 2026 update from Microsoft's Intune Customer Success team, the rollout of significant Intune network infrastructure changes is actively in progress across each workload. Microsoft has confirmed they are beginning a phased rollout to each scale unit, meaning this is no longer a future concern — it is happening right now.
The core change involves Microsoft migrating Intune service endpoints to new IP address ranges and updated FQDNs. This affects how managed devices, on-premises infrastructure (including the Intune Certificate Connector, Policy Platform connector, and NDES/SCEP configurations), and any network proxy or firewall rules you have in place communicate with Microsoft's backend services. Environments that rely on strict outbound allow-lists — which is most enterprise environments — are directly in the blast radius if those lists aren't updated before the change hits their scale unit.
The official framing from Microsoft: "The rollout of the Intune network changes described in this blog are in progress across each workload... we are beginning to slowly rollout to each scale unit." That language — 'slowly rollout' — is meaningful. You may have weeks, or you may have days depending on which scale unit your tenant sits in.
Who's Affected & When
Every Intune tenant is affected regardless of license tier — this applies to Intune Plan 1, Plan 2, Intune Suite, and any Microsoft 365 or EMS bundle that includes Intune. There is no opt-out. The change is infrastructure-level, not a feature toggle.
Rollout is being staged by scale unit. Microsoft has not published a public mapping of tenant-to-scale-unit, which means you cannot predict exactly when your tenant will be migrated. The safest assumption is: treat this as imminent. If you haven't audited your network allow-lists, start today.
- Rollout start: Active as of March 18, 2026 — already in flight
- Completion timeline: Rolling across scale units progressively; no hard end date published at time of writing
- Auto-enabled: Yes — no admin action required to trigger it, but admin action IS required to avoid breakage
- Regions: Global — all Intune-supported regions are included
What This Means for Your Environment
The practical risk is straightforward: if your perimeter firewall, proxy, or network security appliance has outbound rules locked to specific IP ranges or FQDNs for Intune traffic, those rules will stop working when your scale unit migrates to the new endpoints. The failure modes include:
- Devices failing to check in with Intune (policy, app, and compliance gaps)
- Certificate issuance failures if you run SCEP via NDES or the Intune Certificate Connector
- Conditional Access failures for devices that can't report compliance status
- Windows Autopilot enrollment failures at the network-dependent stages
- Co-management workloads silently shifting behavior due to missed policy delivery
Environments using Microsoft Tunnel or Intune's Certificate Connector on-premises are at elevated risk because those connectors maintain persistent outbound connections to Intune service endpoints — connections that will break hard if the destination changes and your firewall hasn't been updated.
If you're running a proxy with SSL inspection, you also need to verify that any certificate pinning or endpoint validation rules are updated, not just IP allow-lists.
Use the Graph API to pull a snapshot of your connector health status now, so you have a baseline before your scale unit migrates:
GET https://graph.microsoft.com/beta/deviceManagement/ndesConnectors
Authorization: Bearer {token}
Content-Type: application/json
Check the state property for each connector. If it goes from active to inactive after your tenant migrates, your network rules are the first place to look.
Also verify which endpoints your environment currently uses against the updated required endpoints list on Microsoft Learn: Intune network endpoints (Microsoft Learn). Cross-reference every FQDN and IP range against your firewall allow-list.
Action Items
- Immediately: Pull the current Microsoft Intune required endpoints list from Microsoft Learn — Intune Endpoints and compare against your firewall/proxy allow-list. Gaps need to be remediated before your scale unit rolls.
- Immediately: Review any on-premises connector configs — Intune Certificate Connector, Microsoft Tunnel Gateway, NDES — and confirm outbound connectivity to the new endpoint ranges will be permitted.
- This week: If you use a proxy with SSL inspection, add the new Intune FQDNs to your SSL bypass list. Intune traffic should not be inspected — see Microsoft's guidance on network bandwidth and proxy considerations.
- This week: Check your Conditional Access policies for any device compliance dependencies. If devices miss check-ins during the transition window, you may see compliant devices temporarily flagged non-compliant.
- Ongoing: Monitor the Intune What's New page and the original TechCommunity post for scale unit rollout updates.
- Ongoing: Set up an alert in your SIEM or monitoring tool for Intune connector state changes using the Graph API endpoint noted above — this gives you early warning if a connector drops post-migration.
- Communicate: Brief your network/firewall team now. These changes require their involvement, and last-minute firewall change requests in enterprise environments have long lead times.
Key Links
- Official announcement: Support Tip: Upcoming Microsoft Intune Network Changes — TechCommunity
- Required endpoints reference: Network endpoints for Microsoft Intune — Microsoft Learn
- Network bandwidth and proxy guidance: Intune network configuration requirements — Microsoft Learn
