Azure – You can now use Azure AD authentication support for point to site VPN

As you already know, you can connect to your Azure virtual networks (VNets) from your devices using either Site to Site (S2S) VPN and/or Point to Site (P2S) VPN.

The Point to Site VPN connection use to require self-signed certificate for the client to connect to Azure.

Well, good news, you can now use your Azure Active Directory instead of the certificate based.

This is going to simplify a little bit Point to Site deployment while adding additional security as it supports conditional access and MFA.

To start using it you need to configure your Azure VPN gateway to support Azure AD authentication.

To do so, you need to get your Azure AD tenant ID (aka Directory ID), you can get it from the Properties blade of your Azure AD

image

Then you need to give the admin consent using the following URL’s (depending of you cloud type)

image

By granting the admin consent you will get a new Azure AD application called Azure VPN

image

Then you need to enable Azure AD authentication method on your VPN Gateway using the below command

$gw = Get-AzVirtualNetworkGateway -Name <your VPN Gateway> -ResourceGroupName <your resource group>

Set-AzVirtualNetworkGateway -VirtualNetworkGateway $gw -AadTenantUri “https://login.microsoftonline.com/<your Azure AD ID>” -AadAudienceId “41b23e61-6c1e-4545-b367-cd054e0ed4b4” -AadIssuerUri https://sts.windows.net/<your Azure AD ID>/

It will take some time to get the VPN Gateway configuration being updated with this new settings

image

Once completed, you should see in the VpnClientConfiguration your Azure AD tenant and issue details

image

NOTE the Point to Site VPN connection must be configured with OpenVPN and no root certificate, otherwise you will ended with the error “Set-AzVirtualNetworkGateway : Vpn client configuration for gateway <removed> can have only one of the RadiusServer or vpnclient certificate or AAD Authentication settings.”

image  image

If you already have root certificates configured for your Point to Site connection, the command needs to be updated as below

$gw = Get-AzVirtualNetworkGateway -Name <your VPN Gateway> -ResourceGroupName <your resource group>

$gw.VpnClientConfiguration.VpnClientRootCertificates = @()

Set-AzVirtualNetworkGateway -VirtualNetworkGateway $gw –AadTenantUri “https://login.microsoftonline.com/<your Azure AD ID>” -AadAudienceId “41b23e61-6c1e-4545-b367-cd054e0ed4b4” -AadIssuerUri “https://sts.windows.net/<your Azure AD ID>/”

Finally you need to create a new VPN client profile to use the Azure AD authentication using the command

$profile = New-AzVpnClientConfiguration -ResourceGroupName <your resource group> -Name <your VPN Gateway> -AuthenticationMethod “EapTls”

$profile.VpnProfileSASUrl

The last command gives you an URL where to download the VPN profile; you can not use the Download VPN client option from the Point to Site blade

image

Then you need to get the Azure VPN Client which supports Azure AD authentication by adding the Azure VPN Client Azure AD application; the application is available through the Microsoft Store https://www.microsoft.com/p/azure-vpn-client-preview/9np355qt2sqb?rtc=1&activetab=pivot:overviewtab

image

Once installed, launch the new VPN client and import the configuration; the authentication method is should be set to Azure Active Directory

image  image  image

When you hit the Connect button, an Azure AD authentication prompt will appear asking you for your credentials

image  image

You may be prompted to let your organization to manage the device (if your device is not Azure AD registered and/or already managed by Intune)

image

Leave a Comment

Your email address will not be published.