diff --git a/utils/helm/speckle-server/templates/server/networkpolicy.cilium.yml b/utils/helm/speckle-server/templates/server/networkpolicy.cilium.yml
index c004613d0..5e1dea390 100644
--- a/utils/helm/speckle-server/templates/server/networkpolicy.cilium.yml
+++ b/utils/helm/speckle-server/templates/server/networkpolicy.cilium.yml
@@ -60,6 +60,33 @@ spec:
               # email server
 {{ include "speckle.networkpolicy.dns.email.cilium" $ | indent 14 }}
 {{- end }}
+{{- if .Values.server.auth.google.enabled }}
+              # google auth
+              - matchName: 'accounts.google.com'
+              - matchName: 'www.googleapis.com'
+{{- end }}
+{{- if .Values.server.auth.github.enabled }}
+              # github auth
+              - matchName: 'github.com'
+              - matchName: 'api.github.com'
+{{- end }}
+{{- if .Values.server.auth.azure_ad.enabled }}
+              # azure ad auth
+              - matchPattern: '*.login.microsoftonline.com'
+              - matchPattern: '*.aadcdn.msftauth.net'
+              - matchPattern: '*.logincdn.msftauth.net'
+              - matchPattern: '*.login.live.com'
+              - matchPattern: '*.msauth.net'
+              - matchPattern: '*.aadcdn.microsoftonline-p.com'
+              - matchPattern: '*.microsoftonline-p.com'
+              - matchPattern: '*.account.microsoft.com'
+              - matchPattern: '*.bmx.azure.com'
+              - matchPattern: '*.subscriptionrp.trafficmanager.net'
+              - matchPattern: '*.signup.azure.com'
+              - matchName: 'login.microsoftonline.com'
+              - matchName: 'login.windows.net'
+{{ include "speckle.renderTpl" (dict "value" .Values.server.auth.azure_ad.networkPolicy.domains "context" $ ) | indent 14 }}
+{{- end }}
 {{ include "speckle.networkpolicy.dns.postgres.cilium" $ | indent 14 }}
 {{ include "speckle.networkpolicy.dns.redis.cilium" $ | indent 14 }}
 {{ include  "speckle.networkpolicy.dns.blob_storage.cilium" $ | indent 14 }}
@@ -83,6 +110,47 @@ spec:
 {{- if .Values.server.email.enabled }}
     # email server
 {{ include "speckle.networkpolicy.egress.email.cilium" $ | indent 4 }}
+{{- end }}
+{{- if .Values.server.auth.google.enabled }}
+    # google auth
+    - toFQDNs:
+        - matchName: 'accounts.google.com'
+        - matchName: 'www.googleapis.com'
+      toPorts:
+        - ports:
+            - port: '443'
+              protocol: TCP
+{{- end }}
+{{- if .Values.server.auth.github.enabled }}
+    # github auth
+    - toFQDNs:
+        - matchName: 'github.com'
+        - matchName: 'api.github.com'
+      toPorts:
+        - ports:
+            - port: '443'
+              protocol: TCP
+{{- end }}
+{{- if .Values.server.auth.azure_ad.enabled }}
+    # azure ad auth
+    - toFQDNs:
+        - matchPattern: '*.login.microsoftonline.com'
+        - matchPattern: '*.aadcdn.msftauth.net'
+        - matchPattern: '*.logincdn.msftauth.net'
+        - matchPattern: '*.login.live.com'
+        - matchPattern: '*.msauth.net'
+        - matchPattern: '*.aadcdn.microsoftonline-p.com'
+        - matchPattern: '*.microsoftonline-p.com'
+        - matchPattern: '*.account.microsoft.com'
+        - matchPattern: '*.bmx.azure.com'
+        - matchPattern: '*.subscriptionrp.trafficmanager.net'
+        - matchPattern: '*.signup.azure.com'
+        - matchName: 'login.microsoftonline.com'
+        - matchName: 'login.windows.net'
+{{ include "speckle.renderTpl" (dict "value" .Values.server.auth.azure_ad.additional_domains "context" $ ) | indent 8 }}
+      toPorts:
+            - port: {{ default 443 .Values.server.auth.azure_ad.port | quote }}
+              protocol: TCP
 {{- end }}
     # postgres
 {{ include "speckle.networkpolicy.egress.postgres.cilium" $ | indent 4 }}
diff --git a/utils/helm/speckle-server/templates/server/networkpolicy.kubernetes.yml b/utils/helm/speckle-server/templates/server/networkpolicy.kubernetes.yml
index 3b539b098..6a7782b61 100644
--- a/utils/helm/speckle-server/templates/server/networkpolicy.kubernetes.yml
+++ b/utils/helm/speckle-server/templates/server/networkpolicy.kubernetes.yml
@@ -30,6 +30,16 @@ spec:
       ports:
         - port: 443
 {{- end }}
+{{- if ( or .Values.server.auth.google.enabled .Values.server.auth.github.enabled .Values.server.auth.azure_ad.enabled ) }}
+    - to:
+      - ipBlock:
+          cidr: 0.0.0.0/0
+          # except to kubernetes pods or services
+          except:
+            - 10.0.0.0/8
+      ports:
+        - port: 443
+{{- end }}
 {{- if .Values.server.sentry_dns }}
     # sentry.io https://docs.sentry.io/product/security/ip-ranges/#event-ingestion
     - to:
diff --git a/utils/helm/speckle-server/values.yaml b/utils/helm/speckle-server/values.yaml
index 1a2c99002..14ca85382 100644
--- a/utils/helm/speckle-server/values.yaml
+++ b/utils/helm/speckle-server/values.yaml
@@ -369,6 +369,12 @@ server:
       ## @param server.auth.azure_ad.client_id This is the ID for Speckle that you have registered with Azure
       ##
       client_id: ''
+      ## @param server.auth.azure_ad.additional_domains List of `matchName` or `matchPattern` maps for domains that should be allow-listed for egress in Network Policy. https://docs.microsoft.com/en-us/azure/azure-portal/azure-portal-safelist-urls?tabs=public-cloud are enabled by default.
+      ##
+      additional_domains: []
+      ## @param server.auth.azure_ad.port Port on server to connect to. Used to allow egress in Network Policy. Defaults to 443
+      ##
+      port: 443
   ## @extra server.email Speckle can communicate with users via email, providing account verification and notification.
   ##
   email: