As you already know, you can connect to your Azure virtual networks (VNets) from your devices using either Site to Site (S2S) VPN and/or Point to Site (P2S) VPN.
The Point to Site VPN connection use to require self-signed certificate for the client to connect to Azure.
Well, good news, you can now use your Azure Active Directory instead of the certificate based.
This is going to simplify a little bit Point to Site deployment while adding additional security as it supports conditional access and MFA.
To start using it you need to configure your Azure VPN gateway to support Azure AD authentication.
To do so, you need to get your Azure AD tenant ID (aka Directory ID), you can get it from the Properties blade of your Azure AD
Then you need to give the admin consent using the following URL’s (depending of you cloud type)
- Public cloud: https://login.microsoftonline.com/common/oauth2/authorize?client_id=41b23e61-6c1e-4545-b367-cd054e0ed4b4&response_type=code&redirect_uri=https://portal.azure.com&nonce=1234&prompt=admin_consent
- Government: https://login-us.microsoftonline.com/common/oauth2/authorize?client_id=51bb15d4-3a4f-4ebf-9dca-40096fe32426&response_type=code&redirect_uri=https://portal.azure.us&nonce=1234&prompt=admin_consent
- Germany: https://login-us.microsoftonline.de/common/oauth2/authorize?client_id=538ee9e6-310a-468d-afef-ea97365856a9&response_type=code&redirect_uri=https://portal.microsoftazure.de&nonce=1234&prompt=admin_consent
- China 21 Vianet: https://https://login.chinacloudapi.cn/common/oauth2/authorize?client_id=49f817b6-84ae-4cc0-928c-73f27289b3aa&response_type=code&redirect_uri=https://portal.azure.cn&nonce=1234&prompt=admin_consent
By granting the admin consent you will get a new Azure AD application called Azure VPN
Then you need to enable Azure AD authentication method on your VPN Gateway using the below command
$gw = Get-AzVirtualNetworkGateway -Name <your VPN Gateway> -ResourceGroupName <your resource group>
Set-AzVirtualNetworkGateway -VirtualNetworkGateway $gw -AadTenantUri “https://login.microsoftonline.com/<your Azure AD ID>” -AadAudienceId “41b23e61-6c1e-4545-b367-cd054e0ed4b4” -AadIssuerUri https://sts.windows.net/<your Azure AD ID>/
It will take some time to get the VPN Gateway configuration being updated with this new settings
Once completed, you should see in the VpnClientConfiguration your Azure AD tenant and issue details
NOTE the Point to Site VPN connection must be configured with OpenVPN and no root certificate, otherwise you will ended with the error “Set-AzVirtualNetworkGateway : Vpn client configuration for gateway <removed> can have only one of the RadiusServer or vpnclient certificate or AAD Authentication settings.”
If you already have root certificates configured for your Point to Site connection, the command needs to be updated as below
$gw = Get-AzVirtualNetworkGateway -Name <your VPN Gateway> -ResourceGroupName <your resource group>
$gw.VpnClientConfiguration.VpnClientRootCertificates = @()
Set-AzVirtualNetworkGateway -VirtualNetworkGateway $gw –AadTenantUri “https://login.microsoftonline.com/<your Azure AD ID>” -AadAudienceId “41b23e61-6c1e-4545-b367-cd054e0ed4b4” -AadIssuerUri “https://sts.windows.net/<your Azure AD ID>/”
Finally you need to create a new VPN client profile to use the Azure AD authentication using the command
$profile = New-AzVpnClientConfiguration -ResourceGroupName <your resource group> -Name <your VPN Gateway> -AuthenticationMethod “EapTls”
$profile.VpnProfileSASUrl
The last command gives you an URL where to download the VPN profile; you can not use the Download VPN client option from the Point to Site blade
Then you need to get the Azure VPN Client which supports Azure AD authentication by adding the Azure VPN Client Azure AD application; the application is available through the Microsoft Store https://www.microsoft.com/p/azure-vpn-client-preview/9np355qt2sqb?rtc=1&activetab=pivot:overviewtab
Once installed, launch the new VPN client and import the configuration; the authentication method is should be set to Azure Active Directory
When you hit the Connect button, an Azure AD authentication prompt will appear asking you for your credentials
You may be prompted to let your organization to manage the device (if your device is not Azure AD registered and/or already managed by Intune)
