Hi Jessica Espada,
Greetings!
Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.
NOTE: Yes, you are correct, If the Web App is VNET integrated with a subnet that has the Microsoft.Web Service Endpoint enabled, then this behavior is expected. It is by design that when the Microsoft.Web endpoint is enabled, the normal IPv4 outbound IP is no longer used. Instead, any communications will go through special tunneling using IPv6 outbound.
This can indeed cause issues like the 403 error you're experiencing.
Refer: https://learn.microsoft.com/en-us/troubleshoot/entra/entra-id/ad-dmn-services/azure-ad-ipv6-support
- This means that even if you use a NAT gateway, it might not resolve the issue because the service endpoint will still attempt to use the IPv6 address.
- Given the limitations and the design of the service endpoints, it might be best to continue with your current approach of disabling the Microsoft.Web service endpoint if it is causing significant issues.
As this something which is not supported. We encourage customers to create a feedback item for this request on the feedback forum
feedback forum: https://feedback.azure.com/d365community
Hope this clarifies,
If above is unclear and/or you are unsure about something add a comment below.
Thanks
Ganesh
Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.