Share via

Graph API : Options to Route calls to Specific IP Range?

Kirubakara Senthil Kumar S 191 Reputation points
2021-04-02T21:54:48.433+00:00

Hello All,

We have a .NET Web B2B Multitenancy application, We recently enabled MFA with Azure AD. While trying to automate the Guest user creation in Azure AD using Graph API, we came across a strange problem. This happens only from our Client network. The calls failed 30% of time. While debugging we found graph.microsoft.com resolved to two ip ranges 40.XX.XX.XX and 20.XX.XX.XX. Every time when we get 20.XX, our calls were failing. There were multiple vendors handling different FW inside the client infra. We had multiple connects with Verizon, DXC, AT&T. Finally we understood earlier DXC was owning 20.XX, it look they released it few years ago, hence they blocked this range internally. Working towards enabling this. Meanwhile, Is there a possibility to skip the 20.XX range and call 40.XX range all the time?? Even explored the host file configuration in local VM as well. I cannot rely on host file, incase if you/MS disables a specific IP, this will never create a user in Azure AD. Please help and suggest an option.

Microsoft Security | Microsoft Entra | Microsoft Entra ID

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Siva-kumar-selvaraj 15,721 Reputation points
    2021-04-10T11:40:35.29+00:00

    Hello @Kirubakara Senthil Kumar S ,

    Thanks for reaching out and apologies for delayed response.

    If these work loads are in Azure VM then you can leverage "Virtual network service endpoints" which provides secure and direct connectivity to Azure services over an optimized route over the Azure backbone network rather than public route over Internet.

    For more information, read

    Microsoft Graph API endpoint are managed by Azure AD service Bus which are spread across regions and datacenter hence client requests are distributed based on load.

    Here's different set of IP ranges when I nslookup from two different machine so pointing it to specific IP resolution using HOST file wont be reliable.

    Therefore, the best option would be whitelisting graph.microsoft.com IP address from firewall. Please find detailed "Azure IP Ranges and Service Tags – Public Cloud".

    Non-authoritative answer: Name: www.tm.prd.ags.akadns.net Addresses: 20.190.132.41 20.190.132.42 20.190.132.43 20.190.132.44 Aliases: graph.microsoft.com ags.privatelink.msidentity.com

    Non-authoritative answer: Name: www.tm.prd.ags.akadns.net Addresses: 20.190.145.171 20.190.145.170 20.190.145.169 Aliases: graph.microsoft.com ags.privatelink.msidentity.com

    Hope this helps.

    ------------------

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.