risk – Do i place this service in the DMZ or datacentre(internal)?

I have setup a VM on our internal network and it is assigned an internal IP address. The VM requires connectivity to a couple of internet sites mainly Microsoft and ports are generally 80 and 443. This is to run Power Automate.

  • All connections are instigated from the VM.
  • All connections traverse our perimeter firewall, there is also NAT here.
  • We have restricted the IP ranges that the VM can connect out to.
  • No reverse proxy

Does this service needs to be placed on DMZ? my initial thoughts are No. The risk is if Microsoft domains and servers are compromised then a bad actor may able to send malware or compromise our internal server once a connection is established. The risk of this is low and therefore i am happy to accept this risk.

If a connection was instigated from the internet, then i think this builds a strong case to place the service on the DMZ. Am I right?

What are your thoughts? Is my thinking on the right lines?