How to allow only people from Entra Group to connect to Azure VPN?

Pitawat-MKV 5 Reputation points

My company implemented Azure Virtual WAN with both site-to-site and point-to-site connections. Employees would use Azure VPN client to connect to Azure resources. Admins would download virtual hub User VPN profile and import it to user's VPN client and everyone would authenticate using Entra ID.

Now we would like to limit people that could connect to Azure VPN by creating an Entra group and put members in there, then I followed this documentation on step 3 and 4 to bind the group ID.

After saving, I tested with my own Entra ID account which isn't in that group but I'm still able to connect to VPN and getting an IP address from the pool that the group was assigned to. I'm not sure if I am doing everything correctly, or that documentation isn't what I needed to follow?

Here are some details that might help:

  • There is only 1 VPN configuration
  • There is only 1 user group bound with VPN configuration
  • There is only 1 address pool assigned to VPN configuration
  • Azure certificate and RADIUS authentication are disabled

To recap what I would like to achieve: I would like to allow only people in an Entra group to be able to connect to Azure VPN, even though everyone else has the Virtual WAN user VPN profile imported to their Azure VPN client on their computers. Is this possible?

Please let me know if I should provide other details.

Thank you.

Azure Virtual WAN
Azure Virtual WAN
An Azure virtual networking service that provides optimized and automated branch-to-branch connectivity.
199 questions
Azure VPN Gateway
Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,442 questions
A cloud computing platform and infrastructure for building, deploying and managing applications and services through a worldwide network of Microsoft-managed datacenters.
1,063 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Pitawat-MKV 5 Reputation points

    The solution for this is pretty straightforward. Just assign the Entra group that can use Azure VPN enterprise application. (Toggle "Assignment required?" to Yes)

    I have also created a Conditional Access policy that targets Azure VPN app that includes everyone but one Entra group and choose "Grant" option as "Block access".

    When users outside the group tries to login, they will see the "You don't have access" screen.

    One downside is that connected users won't be forced disconnect. It will take time until their session ends and Azure VPN Client tries to get new token and that's when the access will be blocked. (You can force disconnect them from vWAN blade but they will be able to reconnect as long as their token isn't expired yet) However, I believe if you are setting this up new and nobody has connected to the VPN yet, it will work right away.

    This is what I have done for now, if anyone has any suggestion or alternate method, please share.