Azure Managed Grafana + private endpoint failing behind app gateway

Hello Ashish K Padhy

Kindly let us know if the solution provided worked for you.

If you need any further assistance, please feel free to reach out.

If you found the comment helpful, please consider clicking "Upvote it".

Thanks,

Suchitra.

Hello @Suchitra Suregaunkar , Thank you for impressive support.

After reading your reply, I feel we are almost there with solution but here I need more detailed solution

Issue details

Region: East US

Managed Grafana resource name: amg-ap-eus-eph

Managed Grafana endpoint(by Microsoft) : https://amg-ap-eus-eph-dmang7hpexe9.eus.grafana.azure.com

Vanity URL via Application Gateway: https://grafana.eph-uais.opum.com

Public network access on Managed Grafana: Disabled

Private endpoint configured: Yes (approved state)

Private endpoint resolved IP: 10.71.152.180

Application gateway frontend url is https://grafana.eph-xyz.opum.com

As, amg hardcode the url, in vnet level this url FQDN amg-ap-eus-eph-dmang7hpexe9.eus.grafana.azure.com resolved to private ip i.e 10.71.152.180

Application Gateway configuration

Listener : grafana.eph-xyz.opum.com

backend bool host : amg-ap-eus-eph-dmang7hpexe9.eus.grafana.azure.com

Queries :

1. What Microsoft Entra ID endpoints need to allow? Please share list of endpoints
2. How to define AzureActiveDirectory service tag in NSG or Firewall?
3. What rewrites need to define in Application gateway ? As I have shared all details, can you please draft syntax

Please help me to get above details, it will appreciated .

I want to thank you great support. Its appreciated

Thank you

Ashish

Hello Ashish K Padhy

Thanks for responding back. Please allow me sometime and I will update you regarding your query.

Hello Ashish K Padhy

Please have a look into below resolutions for your queries:

1. What Microsoft Entra ID endpoints need to allow?

When AMG is deployed in Private Endpoint mode, OAuth authentication still happens against public Microsoft Entra ID endpoints.

Authentication flow:

Browser → Entra ID → Token issuance → Redirect back to AMG

Applications request token from Microsoft Entra ID using browser connection to Entra authentication endpoints

Reference: https://docs.azure.cn/en-us/entra/architecture/authenticate-applications-and-users#request-tokens

And when service is deployed in private subnet, authentication traffic must reach:

login.microsoftonline.com

to obtain tokens.

Reference: https://docs.nginx.com/nginxaas/azure/quickstart/security-controls/private-subnet-oidc-entra/

Please have a look into below required outbound endpoints (Allow over 443).

Allow following:

login.microsoftonline.com
login.microsoft.com
sts.windows.net
graph.microsoft.com
account.activedirectory.windowsazure.com
aadcdn.msftauth.net
*.microsoftonline.com
*.msauth.net
*.msftauth.net

Blocking these breaks OAuth SSO handshake.

Reference: https://docs.sophos.com/nsg/sophos-firewall/20.0/Help/en-us/webhelp/onlinehelp/AdministratorHelp/Authentication/Servers/MicrosoftEntraID/AuthenticationMicrosoftEntraIDAllowURL/index.html

2. How to define AzureActiveDirectory Service Tag in NSG / Firewall?

Microsoft recommends Service Tags instead of hardcoding IPs because Service tag represents group of IP prefixes of Azure service and Microsoft automatically updates them as address ranges change

You can Use Service Tag in NSG, Azure Firewall, UDR. Instead of maintaining Entra ID IP ranges manually.

There is a specific tag which represents Microsoft Entra ID authentication endpoints

AzureActiveDirectory

https://dori-uw-1.kuma-moon.com/en-us/azure/virtual-network/service-tags-overview

3. NSG RULE (Outbound):

Create this rule on App Gateway Subnet and Private Endpoint Subnet (if firewall applied)

Use Azure CLI:

az network nsg rule create </span>
--resource-group <RG> </span>
--nsg-name <NSG-NAME> </span>
--name Allow-AAD-OAuth </span>
--priority 200 </span>
--direction Outbound </span>
--access Allow </span>
--protocol Tcp </span>
--destination-port-ranges 443 </span>
--destination-address-prefixes AzureActiveDirectory

Now AMG backend can talk to Entra ID securely without opening Internet.

3. Application Gateway Rewrite Rules:

Microsoft Application Gateway supports modifying request and response headers between client and backend and also Response Location header can be rewritten before reaching client.

This is exactly what AMG SSO requires.

References:

Rewrite HTTP headers and URL with Application Gateway - https://dori-uw-1.kuma-moon.com/en-us/azure/application-gateway/rewrite-http-headers-url

Rewrite HTTP request and response headers with Azure Application Gateway - Azure portal - https://dori-uw-1.kuma-moon.com/en-us/azure/application-gateway/rewrite-http-headers-portal

Rewrite is Required because, After login, Entra ID redirects browser to:

https://amg-ap-eus-eph-dmang7hpexe9.eus.grafana.azure.com/login/azuread

But:

Public access = Disabled Browser cannot access Private Endpoint directly

So AppGW must intercept this redirect and convert to:

https://grafana.eph-xyz.opum.com/login/azuread

Please try below implementation using Azure CLI:

Step 1: Create Rewrite Rule Set

az network application-gateway rewrite-rule set create </span>
--resource-group <RG> </span>
--gateway-name <APPGW-NAME> </span>
--name grafanaRewriteSet

Step 2 : REQUEST HEADER REWRITE, (Vanity → AMG Host)

az network application-gateway rewrite-rule create </span>
--resource-group <RG> </span>
--gateway-name <APPGW-NAME> </span>
--rule-set-name grafanaRewriteSet </span>
--name rewriteHostHeader </span>
--sequence 100 </span>
--request-headers "Host=amg-ap-eus-eph-dmang7hpexe9.eus.grafana.azure.com"

Step 3: RESPONSE HEADER REWRITE, (AMG Redirect → Vanity URL)

This captures redirect from AMG:

Location:
https://amg-ap-eus-eph-dmang7hpexe9.eus.grafana.azure.com

and replaces with:

https://grafana.eph-xyz.opum.com

First Create Condition:

az network application-gateway rewrite-rule condition create \az network application-gatewayRG> </span>
--gateway-name <APPGW-NAME> </span>
--rule-set-name grafanaRewriteSet </span>
--rule-name rewriteHostHeader </span>
--variable http_resp_Location </span>
--pattern amg-ap-eus-eph-dmang7hpexe9.eus.grafana.azure.com </span>
--ignore-case true

Then Response Rewrite:

az network application-gateway rewrite-rule create </span>
--resource-group <RG> </span>
--gateway-name <APPGW-NAME> </span>
--rule-set-name grafanaRewriteSet </span>
--name rewriteLocationHeader </span>
--sequence 110 </span>
--responsegrafana.eph-xyz.opum.com"

Step 4 : Attach Rewrite Rule To Routing Rule.

az network application-gateway rule update </span>
--resource-group <RG> </span>
--gateway-name <APPGW-NAME> </span>
--name <ROUTING-RULE-NAME> </span>
--rewrite-rule-set grafanaRewriteSet

Azure AD App Registration Redirect URI Must include BOTH:

https://grafana.eph-xyz.opum.com/login/azuread
https://amg-ap-eus-eph-dmang7hpexe9.eus.grafana.azure.com/login/azuread

When a user accesses the Grafana instance using the vanity URL (grafana.eph-xyz.opum.com), the request is routed through the Application Gateway to the Azure Managed Grafana private endpoint; after successful authentication with Microsoft Entra ID, the service redirects the response to the Managed Grafana workspace FQDN, which is then intercepted by the Application Gateway and rewritten back to the vanity URL, allowing the login process to complete successfully while maintaining private access.

Azure Managed Grafana internally utilizes its workspace FQDN in the OAuth authentication flow. When public network access is disabled, the browser cannot directly reach this FQDN after successful sign‑in, resulting in authentication failures. Configuring Azure Application Gateway to rewrite request Host headers and response Location headers ensures that OAuth redirect responses are routed back through the vanity URL, allowing authentication to complete successfully while maintaining private endpoint access.

Thank You.