MFA for P2S Azure VPN

michal 191 Reputation points
2020-11-18T21:45:48.877+00:00

Hello,

I'm trying to find out some info about MFA for accessing Azure P2S VPN.

I am trying to set up P2S VPN. I have already configured all with regards to P2S VPN, downloaded Azure VPN client etc. Authentication is Azure Active Directory. Now, all users already have MFA enforced in O365 and AZ AD has this O365 Free licence. I'm not sure whether this licence is enough for enabling MFA when connecting to P2S Azure VPN. Today, I've tried to connect to Azure via P2S VPN and it asked me for a CODE that was sent to my phone (and received with no issue). However, when I disconnected and tried to connect again, it did not ask me for CODE sent to a phone again - not even asked for username/password.

  • is this the way it should work? Shouldn't I get CODE to my phone every time I want to connect to the VPN?
  • I've found a guide about enabling MFA for Azure P2S VPN by creating a "Conditional Access" for Azure VPN in Enterprise Application in AZ AD. When I follow that guide, I can't complete it as it asks me to upgrade the AZ AD licecne to Premium when in Conditional Access section.

I'm a bit confused now... whether the MFA is actually working for me or not :)

Azure VPN Gateway
Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,536 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,795 questions
{count} votes

Accepted answer
  1. SaiKishor-MSFT 17,231 Reputation points
    2020-11-19T23:32:10.407+00:00

    @michal

    Answering your questions here-

    • Is this the way it should work? Shouldn't I get CODE to my phone every time I want to connect to the VPN?

    The Azure AD default configuration for user sign-in frequency is a rolling window of 90 days. If you would like to change it, here some recommendations given for the same in this document.

    • I've found a guide about enabling MFA for Azure P2S VPN by creating a "Conditional Access" for Azure VPN in Enterprise Application in AZ AD. When I follow that guide, I can't complete it as it asks me to upgrade the AZ AD licecne to Premium when in Conditional Access section.

    As you mentioned, using Conditional Access does require additional Azure AD Premium P1 license as given in document.

    Hope this helps. If you need any further assistance regarding this issue, please feel free to add to this issue and we will be glad to assist. Thank you and have a good day!

    Remember:

    • Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how.
    • Want a reminder to come back and check responses? Here is how to subscribe to a notification.
    0 comments No comments

1 additional answer

Sort by: Most helpful
  1. michal 191 Reputation points
    2020-11-20T11:34:21.213+00:00

    @FJcmdk4488
    yes... I used the same laptop... and it was within 10 minutes... Here is the story:

    • I did set up that P2S VPN few weeks ago and tested it. At that time, I did not have MFA enforced to my account in O365 Admin
    • Yesterday, I returned back to this and tested the connection again. This time, I already had MFA enforced via O365 Admin, as I was enforcing it few days ago to increase security. Now, it asked me for verification CODE... When I've tried to connect 2nd time, I was connected via asking a CODE again. Used same laptop within 10 minutes. Didn't check the VPN GW for connection, but I was definitely connected as I could reach the VM in Azure.

    @SaiKishor-MSFT
    I’ve just got confused as a guy tried to convince me that if I want to use MFA for P2S VPN to Azure, I have to have AZ AD Premium - Im not very experienced in this yet. But if I understand you correctly, it will work also with O365 licence when I have MFA enforced for users in O365 Admin? Just want to be clear on this to avoid spending money on PREMIUM AD if not required. This is the only “extra” feature I need. Not asking for the code during my 2nd access seems to be clear now when considering sign-in frequency

    To sum it up - to connect to Azure P2S VPN with AZAD + MFA authentication works with MFA enforced in O365 Admin even without AZAD Premium licence.... Do I get it right? :)


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.