Forum Discussion

curious7's avatar
curious7
Copper Contributor
Nov 23, 2025

Can I send MgGraph traffic over Service Endpoint from Azure VM?

I have a Azure VM which resides on a subnet that has UDR to send all traffic to 0.0.0.0/0 through our firewall which in turn sends the http and https traffic to our proxy. I am having problems execut...
rogerval's avatar
rogerval
Copper Contributor
Nov 28, 2025

Hi,

Microsoft Graph endpoints are not exposed as Service Endpoints, so you can't redirect Graph API calls through a vNet service endpoint. Service Endpoints only exist for Azure services like Storage, SQL Database, Cosmos DB, Key Vault, etc. Graph API calls always go to `https://graph.microsoft.com` over the public internet.

To restrict or control egress you have a few options:

- Allow traffic to `graph.microsoft.com` on your firewall or proxy and continue using your existing UDR. This is usually the simplest way to ensure Graph connectivity.
- Use Azure Private Link/Private Endpoints for services that support them (e.g., specific Azure AD or Entra ID workloads). As of today there is no general Private Link for Microsoft Graph.
- Consider deploying an Azure Firewall or NAT Gateway as a centralized egress point. You can define FQDN tags or rules to allow Graph traffic while controlling other outbound traffic.

Hope this helps!

Thanks for raising the question—others may find it useful as well.

Resources