Microsoft has finally added a long-awaited feature, support for Azure Active Directory authentication on Point-to-site (P2S) VPN connection(s). In this blog, I will explain step-by-step how to set up authentication based on Azure Active Directory (AAD) for a virtual network gateway with point-to-site VPN configured. I assume that there is already a P2S connection configuration in place.
Why should I use Azure Active Directory authentication with point-to-site VPN?
The goal is to secure company identity/data. With AAD and MFA authentication, it’s almost impossible for a hacker to access your company resources.
If you wish to implement the Azure AD authentication with the P2S VPN, I would advise using this in combination with Conditional Access policies for MFA authentication.
A side note: Please keep in mind that P2S VPN is often been used by administrators to access their management purposes. In the Modern workplace, it’s not recommended to use this technique for accessing your application(s) and or environment.
Download and install the Azure VPN client from the Microsoft Store if you don’t have it on your client yet. We will need the software to import the VPN profile in step 6.
Find the Directory ID of your Azure AD tenant. This can be found by browsing to Azure Active Directory > Properties > Directory ID
Paste the following URL in the browser to give the Enterprise app Azure VPN permissions to access your tenant. It needs the following permissions ” Sign in and read user profile”. See the below screenshot.
Please don’t change the URL. It doesn’t need to have your Directory ID yet.
Run the below PowerShell command to Enable Azure AD authentication on the VPN gateway. Don’t forget to change the values to your tenant settings
$gw = Get-AzVirtualNetworkGateway -Name <name of VPN gateway> -ResourceGroupName <Resource group> Set-AzVirtualNetworkGateway -VirtualNetworkGateway $gw -VpnClientRootCertificates @() Set-AzVirtualNetworkGateway -VirtualNetworkGateway $gw -AadTenantUri "https://login.microsoftonline.com/<your Directory ID>" -AadAudienceId "41b23e61-6c1e-4545-b367-cd054e0ed4b4" -AadIssuerUri "https://sts.windows.net/<your Directory ID>/" -VpnClientAddressPool 192.168.0.0/24 -VpnClientProtocol OpenVPN
Run the below PowerShell command to create and download the created VPN profile. Don’t forget to change the values to your tenant settings
$profile = New-AzVpnClientConfiguration -Name <name of VPN gateway> -ResourceGroupName <Resource group> -AuthenticationMethod "EapTls" $PROFILE.VpnProfileSASUrl
After running the above command, it will show you the below result. Copy the URL to your browser to download your VPN profile as a ZIP file. When the download finishes, extract the ZIP file.
Open the Azure VPN client app in Windows to import the created VPN profile. You will need the .XML file in the AzureVPN folder.
You can import the VPN profile by clicking on the + sign in the left bottom of the page.
What is Azure Active Directory authentication on a point-to-site VPN?
Nowadays, companies are using certificates or RADIUS to connect with a point-to-site VPN connection. With AAD authentication you will authorize users by their Identity to connect with VPN.
How can I configure Azure Active Directory authentication for point-to-site VPN?
In this blog, you will find the steps to follow to configure AAD authentication for a point-to-site VPN.
Configure Conditional Access (MFA): https://docs.microsoft.com/en-us/azure/vpn-gateway/openvpn-azure-ad-mfa
Troubleshooting (Diagnose connection issues): https://docs.microsoft.com/en-us/azure/vpn-gateway/openvpn-azure-ad-client#diagnose