Share via

Can I send MgGraph traffic over Service Endpoint from Azure VM?

curious7 276 Reputation points
2025-11-23T20:26:13.2733333+00:00

I have a Azure VM which resides on a subnet that has UDR to send all traffic to 0.0.0.0/0 through our firewall which in turn sends the http and https traffic to our proxy. I am having problems executing graph queries on this VM. "connect-mggraph" succeeds because "Microsoft.AzureActiveDirectory" service endpoint is there on this subnet. But after that query to get a user or anything else throws "an error occurred" message. My thinking is that the traffic is not being sent over https/http and thus not being forwarded to our proxy from the firewall. Thus , I want to see if it is possible to send this traffic through a Azure Service Endpoint instead?

Azure Private Link
Azure Private Link
An Azure service that provides private connectivity from a virtual network to Azure platform as a service, customer-owned, or Microsoft partner services.
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Q&A Assist
    2025-11-23T20:26:21.7933333+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    To send Microsoft Graph (MgGraph) traffic over a Service Endpoint from an Azure VM, you need to ensure that the Service Endpoint for Microsoft Azure Active Directory is correctly configured on the subnet where your VM resides. Since you mentioned that the "connect-mggraph" command succeeds, it indicates that the Service Endpoint is functioning for that initial connection.

    However, if subsequent queries are failing with an error message, it may not be related to the Service Endpoint itself but rather how the traffic is being routed through your firewall and proxy. Service Endpoints primarily handle TCP traffic, and if your UDR (User Defined Route) is directing all traffic to 0.0.0.0/0 through your firewall, you need to ensure that your firewall and proxy settings allow the necessary HTTP/HTTPS traffic for Microsoft Graph API calls.

    In summary, while you can send MgGraph traffic over a Service Endpoint, you should verify that your firewall and proxy are correctly configured to handle the traffic after the initial connection is established. If the traffic is not being forwarded correctly, you may need to adjust your firewall rules or proxy settings accordingly.

    0 comments
  2. Adam Zachary 2,025 Reputation points
    2025-11-23T23:23:15.26+00:00

    I ran into this same situation before, and the root cause is exactly what you’re seeing.

    Service Endpoints for Microsoft.AzureActiveDirectory only cover the token request, not the actual Microsoft Graph traffic.

    Once you run connect-mggraph, every real query goes to https://graph.microsoft.com over normal HTTPS, and with your 0.0.0.0/0 UDR that traffic is being forced through your firewall/proxy. If the proxy doesn’t allow it or can’t inspect it, the calls fail with “an error occurred.”

    To clarify your question: No, Microsoft Graph cannot be sent through a Service Endpoint. They simply do not exist for Graph.

    So, your only working options are:

    1. Allow Graph endpoints on your firewall/proxy (allow https://graph.microsoft.com + the Microsoft login endpoints)

    2. Or add a UDR exception so Graph traffic bypasses the proxy This is the usual fix in locked-down networks.

    That will restore your Graph queries.

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.