Written by 09:24 Microsoft Azure Views: 220

Azure Virtual Network Gateway: Enable Azure AD Authentication for Azure Point-to-Site (P2S) VPN

How can you configure Azure Active Directory authentication for a point-to-site VPN

Microsoft has finally added a long-awaited feature, support for Azure Active Directory authentication on Point-to-site (P2S) VPN connection(s). In this blog, I will explain step-by-step how to set up authentication based on Azure Active Directory (AAD) for a virtual network gateway with point-to-site VPN configured. I assume that there is already a P2S connection configuration in place.

The goal is to secure company identity/data. With AAD and MFA authentication, it’s almost impossible for a hacker to access your company resources.

If you wish to implement the Azure AD authentication with the P2S VPN, I would advise using this in combination with Conditional Access policies for MFA authentication.

A side note: Please keep in mind that P2S VPN is often been used by administrators to access their management purposes. In the Modern workplace, it’s not recommended to use this technique for accessing your application(s) and or environment.

Step 1:
Download and install the Azure VPN client from the Microsoft Store if you don’t have it on your client yet. We will need the software to import the VPN profile in step 6.

Step 2:
Find the Directory ID of your Azure AD tenant. This can be found by browsing to Azure Active Directory > Properties > Directory ID

Step 3:
Paste the following URL in the browser to give the Enterprise app Azure VPN permissions to access your tenant. It needs the following permissions ” Sign in and read user profile”.  See the below screenshot.

Please don’t change the URL. It doesn’t need to have your Directory ID yet.
https://login.microsoftonline.com/common/oauth2/authorize?client_id=41b23e61-6c1e-4545-b367-cd054e0ed4b4&response_type=code&redirect_uri=https://portal.azure.com&nonce=1234&prompt=admin_consent

Step 4:
Run the below PowerShell command to Enable Azure AD authentication on the VPN gateway. Don’t forget to change the values to your tenant settings

$gw = Get-AzVirtualNetworkGateway -Name <name of VPN gateway> -ResourceGroupName <Resource group>
Set-AzVirtualNetworkGateway -VirtualNetworkGateway $gw -VpnClientRootCertificates @()
Set-AzVirtualNetworkGateway -VirtualNetworkGateway $gw -AadTenantUri "https://login.microsoftonline.com/<your Directory ID>" -AadAudienceId "41b23e61-6c1e-4545-b367-cd054e0ed4b4" -AadIssuerUri "https://sts.windows.net/<your Directory ID>/" -VpnClientAddressPool 192.168.0.0/24 -VpnClientProtocol OpenVPN

Step 5:
Run the below PowerShell command to create and download the created VPN profile. Don’t forget to change the values to your tenant settings

$profile = New-AzVpnClientConfiguration -Name <name of VPN gateway> -ResourceGroupName <Resource group> -AuthenticationMethod "EapTls"
$PROFILE.VpnProfileSASUrl

Step 6:
After running the above command, it will show you the below result. Copy the URL to your browser to download your VPN profile as a ZIP file. When the download finishes, extract the ZIP file.

Step 7:
Open the Azure VPN client app in Windows to import the created VPN profile. You will need the .XML file in the AzureVPN folder.
You can import the VPN profile by clicking on the + sign in the left bottom of the page.

Nowadays, companies are using certificates or RADIUS to connect with a point-to-site VPN connection. With AAD authentication you will authorize users by their Identity to connect with VPN.

In this blog, you will find the steps to follow to configure AAD authentication for a point-to-site VPN.

References:
Configure Conditional Access (MFA): https://docs.microsoft.com/en-us/azure/vpn-gateway/openvpn-azure-ad-mfa
Troubleshooting (Diagnose connection issues): https://docs.microsoft.com/en-us/azure/vpn-gateway/openvpn-azure-ad-client#diagnose

Visited 220 times, 1 visit(s) today
Close