Cowork network endpoints (Frontier)
Last updated: May 2026
This article lists the network endpoints, application identities, and proxy configuration requirements that your organization needs to allow for Copilot Cowork Frontier to function correctly. Use this information when preparing firewall allowlists, proxy exemptions, or Conditional Access policy reviews.
Note:Â You need to be part of the Frontier program to use Cowork. Frontier lets you try the latest model innovation and give feedback before these experiences are generally available. Frontier includes early access to experimental features, which means features may change as Microsoft improves them.
UX entry points
Users access Cowork through Microsoft 365 Copilot Chat. The following URLs must be reachable from user devices:
|
Component |
URL |
|---|---|
|
Microsoft 365 Copilot Chat |
https://m365.cloud.microsoft.com/chat |
|
Cowork agent |
https://m365.cloud.microsoft/chat/agent/<agent-id>.weave |
Cowork service endpoints
All Cowork service traffic flows through a single host pattern. A routing service returns the regional runtime URL for the authenticated user, and subsequent traffic flows directly to that runtime endpoint.
|
Purpose |
Host pattern |
Port |
|---|---|---|
|
Routing service (first hop) |
*.gateway.prod.island.powerapps.com |
443 |
|
Regional runtime (returned by routing service) |
*.gateway.prod.island.powerapps.com |
443 |
Recommended allowlist entry: *.gateway.prod.island.powerapps.com:443
A single wildcard covers both routing and runtime in all regions. Do not pin to specific regional subdomains, because routing decisions are made dynamically per user and may change over time.
The cluster identifier assigned to each tenant may also change, so use the wildcard pattern rather than hard-coding a specific cluster.
Note:Â These endpoints are part of the Power Apps infrastructure. If your organization does not already use Power Apps, these endpoints may not be on your existing allowlist. For the full Power Apps endpoint list, see Power Apps required endpoints (public cloud).
Standard Microsoft 365 dependencies
Cowork relies on standard Microsoft 365 services that are typically already permitted for any tenant using Microsoft 365. Confirm that the following destinations are allowed:
|
Destination |
Port |
Purpose |
|---|---|---|
|
m365.cloud.microsoft.com |
443 |
UX entry point (Copilot Chat host) |
|
login.microsoftonline.com |
443 |
Microsoft Entra ID authentication and key validation |
|
graph.microsoft.com |
443 |
Microsoft 365 services (mail, files, calendar, people) |
Microsoft Entra ID application for Conditional Access
Cowork uses a single first-party Microsoft application as the token audience for all service requests. This application ID must be permitted by your Conditional Access policies:
|
Application |
Client ID |
Purpose |
|---|---|---|
|
Weave / M365 Host App |
6ab48b67-cd74-4ad4-81af-5932984589be |
Token audience for all Cowork service requests |
Microsoft Entra ID administrators should confirm:
-
The application listed above is not blocked by Conditional Access policies.
-
Workload identity credentials (service principals) can acquire tokens in the tenant for this application.
-
On-Behalf-Of consent is granted for the required Microsoft 365 service scopes.
Long-lived connection requirements
Cowork uses persistent streaming connections for real-time updates. Corporate proxies and gateways must not terminate these connections prematurely.
|
Endpoint path |
Required proxy timeout |
|---|---|
|
/v1/subscribe |
No timeout, or 30 minutes minimum |
|
/v1/mru/subscribe |
No timeout, or 30 minutes minimum |
Important:Â Proxies that enforce an absolute-lifetime timeout (rather than an idle timeout) will terminate these streams even when traffic is flowing. The server sends periodic keep-alive signals, but absolute-lifetime limits will still cause disconnects. Exempt *.gateway.prod.island.powerapps.com from absolute-lifetime timeout rules, or set the limit to 30 minutes minimum.
Full endpoint allowlist
The following table summarizes all destinations that must be reachable for Cowork to function:
|
Destination |
Port |
Purpose |
|---|---|---|
|
*.gateway.prod.island.powerapps.com |
443 |
Routing and runtime service endpoints |
|
m365.cloud.microsoft.com |
443 |
UX entry point (Copilot Chat) |
|
login.microsoftonline.com |
443 |
Microsoft Entra ID authentication and key validation |
|
graph.microsoft.com |
443 |
Microsoft 365 services (mail, files, calendar, people) |
Minimum requirements checklist
Use the following checklist to verify your environment is ready for Cowork:
-
Microsoft 365 Copilot license: Assign this license to each user.
-
Conditional Access: Allow application ID 6ab48b67-cd74-4ad4-81af-5932984589be (Weave / M365 Host App).
-
Proxy and firewall allowlist: Add *.gateway.prod.island.powerapps.com:443 with no absolute-lifetime timeout on streaming connections (or set the limit to 30 minutes minimum).
-
Standard Microsoft 365 URLs: Confirm that m365.cloud.microsoft.com, login.microsoftonline.com, and graph.microsoft.com are allowed. These are typically already permitted for general Microsoft 365 usage.
Related content
Power Apps required endpoints (public cloud)
Power Apps required endpoints (government cloud)
Microsoft 365 URLs and IP address ranges
Manage agents for Microsoft 365 Copilot
Note: The author created this article with assistance from AI. Learn more
Need more help?
Want more options?
Explore subscription benefits, browse training courses, learn how to secure your device, and more.
Communities help you ask and answer questions, give feedback, and hear from experts with rich knowledge.
