The endpoints used by the AR service to perform Azure functions are:
The Active Roles Administration Service and Active Roles Web Interface hosts must have access to these endpoints. To confirm this, use an internet browser installed on the host, while logged onto the Active Roles host as the Active Roles service account.
When attempting to visit https://login.microsoftonline.com/ there should be a credential prompt.
Accessing https://graph.windows.net/ using an internet browser from the Active Roles Administration Service host is expected to result in an HTTP 400 error message. It should be possible to access the following endpoint from the Azure AD Graph Explorer from the Active Roles Administration Service host while logged into the Graph Explorer as the Azure Service account: