Azure – You can now use Azure AD authentication support for point to site VPN

As you already know, you can connect to your Azure virtual networks (VNets) from your devices using either Site to Site (S2S) VPN and/or Point to Site (P2S) VPN.

The Point to Site VPN connection use to require self-signed certificate for the client to connect to Azure.

Well, good news, you can now use your Azure Active Directory instead of the certificate based.

This is going to simplify a little bit Point to Site deployment while adding additional security as it supports conditional access and MFA.

To start using it you need to configure your Azure VPN gateway to support Azure AD authentication.

To do so, you need to get your Azure AD tenant ID (aka Directory ID), you can get it from the Properties blade of your Azure AD

image_thumb

Then you need to give the admin consent using the following URL’s (depending of you cloud type)

image_thumb2

By granting the admin consent you will get a new Azure AD application called Azure VPN

image_thumb3

Then you need to enable Azure AD authentication method on your VPN Gateway using the below command

$gw = Get-AzVirtualNetworkGateway -Name <your VPN Gateway> -ResourceGroupName <your resource group>

Set-AzVirtualNetworkGateway -VirtualNetworkGateway $gw -AadTenantUri “https://login.microsoftonline.com/<your Azure AD ID>” -AadAudienceId “41b23e61-6c1e-4545-b367-cd054e0ed4b4” -AadIssuerUri https://sts.windows.net/<your Azure AD ID>/

It will take some time to get the VPN Gateway configuration being updated with this new settings

image_thumb[3]

Once completed, you should see in the VpnClientConfiguration your Azure AD tenant and issue details

image_thumb[4]

NOTE the Point to Site VPN connection must be configured with OpenVPN and no root certificate, otherwise you will ended with the error “Set-AzVirtualNetworkGateway : Vpn client configuration for gateway <removed> can have only one of the RadiusServer or vpnclient certificate or AAD Authentication settings.”

image_thumb[1]  image_thumb[2]

If you already have root certificates configured for your Point to Site connection, the command needs to be updated as below

$gw = Get-AzVirtualNetworkGateway -Name <your VPN Gateway> -ResourceGroupName <your resource group>

$gw.VpnClientConfiguration.VpnClientRootCertificates = @()

Set-AzVirtualNetworkGateway -VirtualNetworkGateway $gw –AadTenantUri “https://login.microsoftonline.com/<your Azure AD ID>” -AadAudienceId “41b23e61-6c1e-4545-b367-cd054e0ed4b4” -AadIssuerUri “https://sts.windows.net/<your Azure AD ID>/”

Finally you need to create a new VPN client profile to use the Azure AD authentication using the command

$profile = New-AzVpnClientConfiguration -ResourceGroupName <your resource group> -Name <your VPN Gateway> -AuthenticationMethod “EapTls”

$profile.VpnProfileSASUrl

The last command gives you an URL where to download the VPN profile; you can not use the Download VPN client option from the Point to Site blade

image_thumb1

Then you need to get the Azure VPN Client which supports Azure AD authentication by adding the Azure VPN Client Azure AD application; the application is available through the Microsoft Store https://www.microsoft.com/p/azure-vpn-client-preview/9np355qt2sqb?rtc=1&activetab=pivot:overviewtab

image_thumb[5]

Once installed, launch the new VPN client and import the configuration; the authentication method is should be set to Azure Active Directory

image_thumb[6]  image_thumb[7]  image_thumb[8]

When you hit the Connect button, an Azure AD authentication prompt will appear asking you for your credentials

image_thumb[9]  image_thumb[11]

You may be prompted to let your organization to manage the device (if your device is not Azure AD registered and/or already managed by Intune)

image_thumb[10]

Benoit Hamet
Benoit Hamet
Benoit is working on Microsoft collaborative technologies He has been awarded as MVP for more than 12 years Currently MVP on Office 365 after being awarded on SharePoint (2011-2012) and Windows client & server (2002-2007) Speaker at various Microsoft events (TechDays, TechNet seminars) and Quest Software He works on on-premises (Active Directory, RADIUS/NPS, Exchange, Skype for Business, SharePoint, SQL, Terminal Server, Windows client and Windows Server) or online (Azure, Intune, Office 365, Exchange Online, SharePoint Online, Skype for Business Online, Teams) technologies

Get in touch

Your Name (required)

Your Email (required)

Subject

Your Message

Get in touch

Your Name (required)

Your Email (required)

Subject

Your Message

Get in touch

Your Name (required)

Your Email (required)

Subject

Your Message

Get in touch

Your Name (required)

Your Email (required)

Subject

Your Message

Get in touch

Your Name (required)

Your Email (required)

Subject

Your Message

Get in touch

Your Name (required)

Your Email (required)

Subject

Your Message

Get in touch

Your Name (required)

Your Email (required)

Subject

Your Message

Get in touch

Your Name (required)

Your Email (required)

Subject

Your Message

Get in touch

Your Name (required)

Your Email (required)

Subject

Your Message

Get in touch

Your Name (required)

Your Email (required)

Subject

Your Message

Get in touch

Your Name (required)

Your Email (required)

Subject

Your Message

Book a Demo

Your Name (required)

Your Email (required)

Phone Number(Optional)

Ask a Question

Your Name (required)

Your Email (required)

Phone Number(Optional)

Your Message

Book Assessment

Evaluate your modern workplace security posture and validate it against current best practices with a Microsoft Secure Score Assessment, from cubesys

Your Name (required)

Your Email (required)

Phone Number(Optional)

Book your Windows Analytics Deployment

Your Name (required)

Your Email (required)

Phone Number(Optional)