diff --git a/providers/microsoft/azure/src/airflow/providers/microsoft/azure/hooks/msgraph.py b/providers/microsoft/azure/src/airflow/providers/microsoft/azure/hooks/msgraph.py
index 2f3bf3a40308c..075c7c20031d3 100644
--- a/providers/microsoft/azure/src/airflow/providers/microsoft/azure/hooks/msgraph.py
+++ b/providers/microsoft/azure/src/airflow/providers/microsoft/azure/hooks/msgraph.py
@@ -294,6 +294,13 @@ def to_msal_proxies(self, authority: str | None, proxies: dict | None) -> dict |
             return proxies
         return None
 
+    @staticmethod
+    def get_allowed_hosts(authority: str, config: dict) -> list[str]:
+        allowed_hosts = config.get("allowed_hosts", authority)
+        if not allowed_hosts:
+            return []
+        return [host for host in allowed_hosts.split(",") if host]
+
     def _build_request_adapter(self, connection) -> tuple[str, RequestAdapter]:
         client_id = connection.login
         client_secret = connection.password
@@ -311,7 +318,7 @@ def _build_request_adapter(self, connection) -> tuple[str, RequestAdapter]:
             scopes = scopes.split(",")
         verify = config.get("verify", True)
         trust_env = config.get("trust_env", False)
-        allowed_hosts = (config.get("allowed_hosts", authority) or "").split(",")
+        allowed_hosts = self.get_allowed_hosts(authority, config)
 
         self.log.info(
             "Creating Microsoft Graph SDK client %s for conn_id: %s",
diff --git a/providers/microsoft/azure/tests/unit/microsoft/azure/hooks/test_msgraph.py b/providers/microsoft/azure/tests/unit/microsoft/azure/hooks/test_msgraph.py
index dab96656d43b4..e1b2caf5b32b1 100644
--- a/providers/microsoft/azure/tests/unit/microsoft/azure/hooks/test_msgraph.py
+++ b/providers/microsoft/azure/tests/unit/microsoft/azure/hooks/test_msgraph.py
@@ -570,6 +570,20 @@ async def test_send_request_invalidates_cache_and_raises_on_any_error(self):
             adapter.send_no_response_content_async.assert_called_once()
             assert hook.conn_id not in hook.cached_request_adapters
 
+    def test_allowed_hosts_is_empty_list_when_not_configured(self):
+        """An unset allowed_hosts/authority must yield []."""
+        actual = KiotaRequestAdapterHook.get_allowed_hosts(None, {})
+
+        assert actual == []
+
+    def test_allowed_hosts_from_config(self):
+        """A configured allowed_hosts string must be split into a list."""
+        actual = KiotaRequestAdapterHook.get_allowed_hosts(
+            None, {"allowed_hosts": "api.powerbi.com,login.microsoftonline.com"}
+        )
+
+        assert actual == ["api.powerbi.com", "login.microsoftonline.com"]
+
 
 class TestKiotaRequestAdapterHookProtocol:
     """Test protocol handling in KiotaRequestAdapterHook."""