Azure – You can now use Azure AD authentication support for point to site VPN

As you already know, you can connect to your Azure virtual networks (VNets) from your devices using either Site to Site (S2S) VPN and/or Point to Site (P2S) VPN.

The Point to Site VPN connection use to require self-signed certificate for the client to connect to Azure.

Well, good news, you can now use your Azure Active Directory instead of the certificate based.

This is going to simplify a little bit Point to Site deployment while adding additional security as it supports conditional access and MFA.

To start using it you need to configure your Azure VPN gateway to support Azure AD authentication.

To do so, you need to get your Azure AD tenant ID (aka Directory ID), you can get it from the Properties blade of your Azure AD


Then you need to give the admin consent using the following URL’s (depending of you cloud type)


By granting the admin consent you will get a new Azure AD application called Azure VPN


Then you need to enable Azure AD authentication method on your VPN Gateway using the below command

$gw = Get-AzVirtualNetworkGateway -Name <your VPN Gateway> -ResourceGroupName <your resource group>

Set-AzVirtualNetworkGateway -VirtualNetworkGateway $gw -AadTenantUri “<your Azure AD ID>” -AadAudienceId “41b23e61-6c1e-4545-b367-cd054e0ed4b4” -AadIssuerUri<your Azure AD ID>/

It will take some time to get the VPN Gateway configuration being updated with this new settings


Once completed, you should see in the VpnClientConfiguration your Azure AD tenant and issue details


NOTE the Point to Site VPN connection must be configured with OpenVPN and no root certificate, otherwise you will ended with the error “Set-AzVirtualNetworkGateway : Vpn client configuration for gateway <removed> can have only one of the RadiusServer or vpnclient certificate or AAD Authentication settings.”

image  image

If you already have root certificates configured for your Point to Site connection, the command needs to be updated as below

$gw = Get-AzVirtualNetworkGateway -Name <your VPN Gateway> -ResourceGroupName <your resource group>

$gw.VpnClientConfiguration.VpnClientRootCertificates = @()

Set-AzVirtualNetworkGateway -VirtualNetworkGateway $gw –AadTenantUri “<your Azure AD ID>” -AadAudienceId “41b23e61-6c1e-4545-b367-cd054e0ed4b4” -AadIssuerUri “<your Azure AD ID>/”

Finally you need to create a new VPN client profile to use the Azure AD authentication using the command

$profile = New-AzVpnClientConfiguration -ResourceGroupName <your resource group> -Name <your VPN Gateway> -AuthenticationMethod “EapTls”


The last command gives you an URL where to download the VPN profile; you can not use the Download VPN client option from the Point to Site blade


Then you need to get the Azure VPN Client which supports Azure AD authentication by adding the Azure VPN Client Azure AD application; the application is available through the Microsoft Store


Once installed, launch the new VPN client and import the configuration; the authentication method is should be set to Azure Active Directory

image  image  image

When you hit the Connect button, an Azure AD authentication prompt will appear asking you for your credentials

image  image

You may be prompted to let your organization to manage the device (if your device is not Azure AD registered and/or already managed by Intune)


Leave a Comment

Your email address will not be published. Required fields are marked *

The reCAPTCHA verification period has expired. Please reload the page.