AMS server

packages.lithnet.io

TCP 443

Allows the AMS server to check and notify when updates are available (optional)

AMS server

graph.microsoft.com

TCP 443

Used to access the graph API when authenticating Azure AD-joined and registered devices

AMS server

login.microsoftonline.com

TCP 443

Used to authenticate to the graph API when authenticating Azure AD-joined and registered devices

AMS server

The hostname specified in the issuer/authority field of the OIDC setup page

TCP 443

Required for claims validation when using OpenID Connect

AMS server

Active Directory Domain Controllers

LDAP TCP 389, CLDAP UDP 389

Directory lookups, site lookups, BitLocker Password lookups, LAPS password lookups, JIT group membership modifications

AMS server

Active Directory Domain Controller Global Catalog Servers

Global Catalog TCP 3268

Computer name lookups

AMS server

Active Directory Domain Controllers

RPC Endpoint Mapper TCP 135, RPC dynamic port range 49152-65535

Authorization queries and ACL evaluation

AMS server

Active Directory DNS servers

DNS UDP 53

DNS lookups

AMS server

SQL Database

TSQL TCP 1433

Connectivity to the AMS database (when not using SQL Express)

AMS server

JIT target computers

RPC over SMB 445

Used to query a computer when performing a JIT request to determine what DC and site it is in. This is optional, and AMS will fall back to using sites and services to try and find the closest DC to the target computer

Windows domain-joined agent

Active Directory Domain Controllers

LDAP TCP 389

LAPS password management

Non-domain-joined agent

AMS Server

HTTPS TCP 443

Agent registration, check in, and password management

Access Manager web-app users

AMS Server

HTTP TCP 80, HTTPS TCP 443

Access to the web app

Access Manager web-app users

OpenID Connect Identity Provider

HTTPS TCP 443

OpenID Connect authentication