Azure Point-To-Site VPN with Azure AD

Question

Azure Point-To-Site VPN with Azure AD

Abdullah Alattar 97

We have configured Azure VPN with Azure AD authentication, I want the user to be prompted to enter his password each time he connects to VPN.

Currently the user are prompted to enter his password when he connects first time, after that he does not get the prompt to enter password and can connect directly. which is not secure

Andreas Hartig 121 Reputation points

2023-03-28T09:24:17.7333333+00:00
Hi Abdullah,

entering a password is not secure. MFA or passwordless is the way to key and you should consider using Password, Certificate and MFA in a combination. If you thing entering a password is secure, you should reconsider that solution.

To require users to enter their Azure AD passwords each time they connect to the Azure VPN, you can configure the VPN client to not cache the user's credentials. Here are the steps to achieve this:

In the Azure portal, navigate to the VPN gateway's configuration page.

Under "Point-to-site configuration," click "Configure now" to edit the configuration.

Under "Authentication type," select "Azure Active Directory" if it's not already selected.

Under "Authentication method," select "User authentication."

Under "Advanced," set "User VPN credential caching" to "None."

Click "Save" to save the configuration changes.

With these settings, the user will be prompted to enter their Azure AD credentials each time they connect to the VPN. Note that this may increase the login time for users, but it ensures that their credentials are secure and not cached on the client device.
GitaraniSharma-MSFT 49,881 Reputation points Microsoft Employee

2023-03-29T12:41:17.7766667+00:00

@Abdullah Alattar , Just checking in to see if you had a chance to see the below answer. To help the community find the right answers, please do mark the post which was helpful by clicking on Accept Answer.

And, if you have any further questions do let us know.

Accepted answer

0 additional answers

Your answer

Andreas Hartig 121 Reputation points

2023-03-28T09:24:17.7333333+00:00

Hi Abdullah,

entering a password is not secure. MFA or passwordless is the way to key and you should consider using Password, Certificate and MFA in a combination. If you thing entering a password is secure, you should reconsider that solution.

To require users to enter their Azure AD passwords each time they connect to the Azure VPN, you can configure the VPN client to not cache the user's credentials. Here are the steps to achieve this:

In the Azure portal, navigate to the VPN gateway's configuration page.

Under "Point-to-site configuration," click "Configure now" to edit the configuration.

Under "Authentication type," select "Azure Active Directory" if it's not already selected.

Under "Authentication method," select "User authentication."

Under "Advanced," set "User VPN credential caching" to "None."

Click "Save" to save the configuration changes.

With these settings, the user will be prompted to enter their Azure AD credentials each time they connect to the VPN. Note that this may increase the login time for users, but it ensures that their credentials are secure and not cached on the client device.
GitaraniSharma-MSFT 49,881 Reputation points Microsoft Employee

2023-03-29T12:41:17.7766667+00:00

@Abdullah Alattar , Just checking in to see if you had a chance to see the below answer. To help the community find the right answers, please do mark the post which was helpful by clicking on Accept Answer.

And, if you have any further questions do let us know.

Answer 1

Hello @Abdullah Alattar ,

Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

I understand that you have configured Azure VPN with Azure AD authentication and currently the users are prompted to enter their password when they connect for the first time, after that they don't get the prompt to enter password and can connect directly. But you want the user to be prompted to enter their password each time they try to connect to VPN.

SSO is enabled by default for Azure VPN Client.
When you connect to Azure VPN client (Azure AD + OpenVPN) for the first time, it prompts for your user account and password and post that it presents the below prompt for SSO (single sign-on) options:

Option 1: If you choose "Allow my organization to manage my device" option, it registers your device to Azure AD and the credentials are stored using Primary Refresh Token (PRT) and hence there are no password prompts from next time whenever you try to connect to Azure VPN.
The registration of device can be found in your Windows Settings > Accounts > Access Work or School as below:

You can see your Azure AD account connected here and if you disconnect this, the password prompt comes back when trying to connect to Azure VPN client, but it presents the SSO options again and the cycle continues.

Option 2: If you choose "No, sign into this app only", the credentials are stored in the VPN client and hence there are no password prompts from next time whenever you try to connect to Azure VPN. There are no settings to get this option removed.

So, no matter which option you choose, the SSO remains in effect and doesn't prompt for password for consecutive connections.

Workaround: The only way to limit the SSO token is through the AAD configuration: token lifetime configuration or conditional access policies at the moment.

With AAD Conditional Access Policies the AAD Admin can set Sign In frequency (minimum value 1hour).
Reference : https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-session-lifetime#policy-1-sign-in-frequency-control

Kindly let us know if the above helps or you need further assistance on this issue.

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Gianluca S-B 5 Reputation points

2023-10-17T14:53:00.4733333+00:00

Hello, I am bringing back this to life. Is there a way to use SSO even to avoid to sign in for the first time? I am in an Azure Hybrid-Joined context and change of Azure VPN gateway (hence new XML file configuration). In brief, I would like that users are not prompted to authenticate against Azure AD (Entra)via Azure VPN client when they receive the new VPN profile and XML configuration, that is pushed by Intune. Thank you!
GitaraniSharma-MSFT 49,881 Reputation points Microsoft Employee

2023-10-25T09:51:45.8633333+00:00

Hello @Gianluca S-B ,

SSO is enabled by default for Azure VPN Client and there is no option to disable it at the moment.

There was an ask to force Disable SSO from VPN Client (outside of AAD Config) but I have not heard any new updates on the same.

I would request you to leave your feedback in the below forum requesting this feature. All the feedback you share in these forums will be monitored and reviewed by the Microsoft engineering teams responsible for building Azure.

https://feedback.azure.com/d365community/forum/8ae9bf04-8326-ec11-b6e6-000d3a4f0789

Regards,

Gita
Gianluca S-B 5 Reputation points

2023-10-25T14:01:40.8966667+00:00

Hi Gita,

I don't want to disable SSO, I just don't want to click on my user to complete the authentication on Azure VPN Client when a new VPN profile is loaded onto the app. I don't know if you get what I mean... Thank you
GitaraniSharma-MSFT 49,881 Reputation points Microsoft Employee

2023-10-26T10:26:32.4266667+00:00

Yes, @Gianluca S-B , I understand but when you load a new VPN profile to the app and connect to Azure VPN client (Azure AD + OpenVPN) for the first time, it will prompt for your user account and password and post which it will present the SSO (single sign-on) options. There is no way to disable this step as of today.

Share via

Azure Point-To-Site VPN with Azure AD

0 additional answers

Your answer