diff --git a/build/ansible/roles/nginx/files/conf.d/pmm.conf b/build/ansible/roles/nginx/files/conf.d/pmm.conf
index 952cc5a6896..d4ecc3055e1 100644
--- a/build/ansible/roles/nginx/files/conf.d/pmm.conf
+++ b/build/ansible/roles/nginx/files/conf.d/pmm.conf
@@ -142,6 +142,23 @@
     }
     rewrite ^/graph$ /graph/;
     location /graph {
+      # Redirect top-level browser navigations to /pmm-ui/graph/* so Grafana is
+      # rendered inside the PMM UI shell. Iframe loads, fetch/XHR, scripts,
+      # images, fonts, styles and clients that don't send Sec-Fetch-Dest fall
+      # through to the Grafana proxy below.
+      # API paths and Grafana auth/account routes are excluded so REST clients
+      # work and unauthenticated users can still reach login pages directly.
+      set $redirect_to_pmm_ui 0;
+      if ($http_sec_fetch_dest = "document") {
+        set $redirect_to_pmm_ui 1;
+      }
+      if ($request_uri ~* "^/graph/(api(/|\?|$)|login|logout|signup|invite|verify|user/password/(send-reset-email|reset))(/|\?|$)") {
+        set $redirect_to_pmm_ui 0;
+      }
+      if ($redirect_to_pmm_ui = 1) {
+        return 302 /pmm-ui$request_uri;
+      }
+
       proxy_cookie_path / "/;";
       proxy_pass http://grafana;
       proxy_read_timeout 600;