Share via

P2S VPN: Server Access based on Azure AD Groups

Simon Arndt 20 Reputation points
2023-05-11T07:53:23.88+00:00

Hello,

I'm currently testing the point-to-side VPN with Azure AD authentication in Azure. The setup ist working i can connect to the servers via VPN. But my problem is, that every user has access to every server, but not every department need every server. So I would like to allow access to a specific server only for a specific security group.

For example:
Our finance team should have access to our print server and our SAP server with the required ports, while our support team only needs access to the print server.

Ist there a way to implement this? We are currently using two virtual networks at two locations with a peer to peer connection. The servers are split between these two networks. We currently use one gateway.

Azure VPN Gateway
Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,795 questions
0 comments
Accepted answer
  1. GitaraniSharma-MSFT 50,096 Reputation points Microsoft Employee Moderator
    2023-05-11T11:18:52.4333333+00:00

    Hello @Simon Arndt ,

    Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

    I understand that you would like to know if there is a way to configure access based on Azure AD Groups in Azure point to site VPN, so that it will allow access to a specific server only for a specific user group.

    Yes, there are currently 2 options available to achieve your requirement.

    First option:

    If you are using normal VPN gateway, then you can configure P2S for access based on users and groups via Azure AD authentication.

    When you use Azure AD as the authentication method for P2S, you can configure P2S to allow different access for different users and groups. If you want different sets of users to be able to connect to different VPN gateways, you can register multiple apps in AD and link them to different VPN gateways.

    Refer: https://learn.microsoft.com/en-us/azure/vpn-gateway/openvpn-azure-ad-tenant-multi-app

    But this will require different VPN gateways for different sets of users.

    Second option:

    You can configure user groups and IP address pools for P2S User VPNs within Azure Virtual WAN which is in preview.

    If you use Azure Virtual WAN, you can configure P2S User VPNs to assign users IP addresses from specific address pools based on their identity or authentication credentials by creating User Groups.

    A User Group or policy group is a logical representation of a group of users that should be assigned IP addresses from the same address pool.

    Gateways using Azure Active Directory authentication can use Azure Active Directory Group Object IDs to determine which user group a user belongs to. If a user is part of multiple Azure Active Directory groups, they're considered to be part of the Virtual WAN user group that has the lowest numerical priority.

    Refer: https://learn.microsoft.com/en-us/azure/virtual-wan/user-groups-about

    https://learn.microsoft.com/en-us/azure/virtual-wan/user-groups-create

    Kindly let us know if the above helps or you need further assistance on this issue.

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    1 person found this answer helpful.
    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.