Share via

Azure Firewall Policy blocks Azure CDN dependencies required for Azure AD authentication (AAD login works, dependent CDN endpoints blocked)

Abdul Rahim 20 Reputation points
2026-01-11T22:34:13.1166667+00:00

We have deployed Azure Firewall with a Firewall Policy to restrict outbound Internet access from a VM subnet while allowing only Azure AD (Entra ID) authentication traffic and required Microsoft dependencies.

Although authentication endpoints (login.microsoftonline.com, device.login.microsoftonline.com, graph.microsoft.com) are reachable, Azure CDN endpoints required by the Azure AD login experience (aadcdn.msauth.net, aadcdn.msftauth.net, office.com, microsoft.com) remain unreachable, even after configuring both Application rules and Network rules using documented Service Tags.

We need Azure Support assistance to confirm the correct and supported way to allow Azure AD + its CDN dependencies while blocking general Internet access using Azure Firewall.

Azure Firewall
Azure Firewall

An Azure network security service that is used to protect Azure Virtual Network resources.

Answer accepted by question author

Vallepu Venkateswarlu 9,835 Reputation points Microsoft External Staff Moderator
2026-01-12T14:39:26.2+00:00

Hello @ Abdul Rahim

Welcome to Microsoft Q&A Platform.

As discussed offline, the issue you encountered was due to multiple traffic-filtering rules.

At the first level, Azure Firewall is applied at the subnet level and is configured to block all traffic by default, allowing only the traffic explicitly permitted by the firewall policy. In addition to this, there is an NSG applied at the VM NIC level that also blocks all outbound internet traffic.

Because of this layered configuration, traffic from the VM was being blocked even for Microsoft endpoints such as Office 365, Microsoft Entra ID, and Azure Front Door, despite these being explicitly allowed in the Firewall policy.

To resolve the issue, please remove the unnecessary outbound blocking rules from the NSG attached to the VM NIC. The Azure Firewall already controls traffic at the subnet level, so maintaining restrictive outbound rules at the NIC level is not required and can cause conflicts.

Once the redundant NSG rules are removed, traffic should flow as expected.

Please210246-screenshot-2021-12-10-121802.pngand “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

Was this answer helpful?

1 person found this answer helpful.
0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.