Forum Discussion
Can I send MgGraph traffic over Service Endpoint from Azure VM?
I have a Azure VM which resides on a subnet that has UDR to send all traffic to 0.0.0.0/0 through our firewall which in turn sends the http and https traffic to our proxy. I am having problems executing graph queries on this VM. "connect-mggraph" succeeds because "Microsoft.AzureActiveDirectory" service endpoint is there on this subnet. But after that query to get a user or anything else throws "an error occurred" message. My thinking is that the traffic is not being sent over https/http and thus not being forwarded to our proxy from the firewall. Thus , I want to see if it is possible to send this traffic through a Azure Service Endpoint instead?
2 Replies
Hi,
Microsoft Graph endpoints are not exposed as Service Endpoints, so you can't redirect Graph API calls through a vNet service endpoint. Service Endpoints only exist for Azure services like Storage, SQL Database, Cosmos DB, Key Vault, etc. Graph API calls always go to `https://graph.microsoft.com` over the public internet.
To restrict or control egress you have a few options:
- Allow traffic to `graph.microsoft.com` on your firewall or proxy and continue using your existing UDR. This is usually the simplest way to ensure Graph connectivity.
- Use Azure Private Link/Private Endpoints for services that support them (e.g., specific Azure AD or Entra ID workloads). As of today there is no general Private Link for Microsoft Graph.
- Consider deploying an Azure Firewall or NAT Gateway as a centralized egress point. You can define FQDN tags or rules to allow Graph traffic while controlling other outbound traffic.Hope this helps!
Thanks for raising the question—others may find it useful as well.
It is not possible to send Microsoft Graph traffic through an Azure Service Endpoint. Service Endpoints are limited to a predefined set of Azure services, such as Storage, SQL Database, and Key Vault. Microsoft Graph API requests are directed to https://graph.microsoft.com over the public internet, and therefore cannot be transmitted via a Service Endpoint.
