Windows Remote Dial-in VPN with RADIUS to Azure AD

Lanky Doodle 226 Reputation points


We are fully 365 with devices connected to AAD. We have some hosted Server 2019 servers that are not currently AAD joined but I am looking to stand up a remote dial in VPN on them, as the firewall in the hosted environment has many site-to-site VPNs to our customer sites.

So the process would be: staff connect to this VPN, and from there they can get directly to customer devices.

If I AAD join these hosted servers, can I install NPS for RADIUS on one, and then Remote Access on another, and have the VPN use the RADIUS server, which is backed by AAD? Do I need a special subscription for AAD to be used like this?

I've done some googling but this specific setup doesn't yield many examples.


Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,481 questions
{count} votes

1 answer

Sort by: Most helpful
  1. amon 121 Reputation points Microsoft Employee

    There is an NPS extension for Azure AD, you must install it on a domain joined server and the server must have access to a few Microsoft endpoints, but those are the only requirements.
    Some references for you:

    1. RADIUS authentication with Azure AD
    2. VPN reference setup guide with RADIUS and Azure AD MFA

    One thing to note: Microsoft recommend you upgrade your VPN’s to SAML and directly federate your VPN with Azure AD. This gives your VPN the full breadth of Azure AD protection, including Conditional Access, Multi-Factor Authentication, device compliance, and Identity Protection..

    1 person found this answer helpful.
    0 comments No comments