Share via

Permissions needed to download VPN client for Point-to-site VPN

Matt Barron 66 Reputation points
2022-03-08T09:57:54.057+00:00

I have a Azure Virtual Network Gateway set up for point-to-site. What are the least permissive permissions I need to assign my Azure AD users so that they can download the VPN Client? I currently have given user read-only access, and when they try to download the client they get the following error message...

"File download error - Failed to dynamically fetch target download uri. "

This is the path through the Portal I'm using to get to the client download link, Home > virtual-network > virtual-network-gateway > Point-to-site configuration

180946-image.png

Azure VPN Gateway
Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,561 questions
Accepted answer
  1. GitaraniSharma-MSFT 49,596 Reputation points Microsoft Employee
    2022-03-08T11:43:27.687+00:00

    Hello @Matt Barron ,

    Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

    I understand that you have an Azure VPN gateway setup for P2S VPN connections with Azure Active Directory authentication and you would like to assign the least permissive permissions to your Azure AD users so that they can download the VPN Client from the Azure portal to configure a VPN client profile.

    The official recommendation is to create a client profile on one computer, export it, and then import it to other computers, if you want to configure multiple computers. This is the most restrictive way to make sure your users do not have access to the Azure portal.
    Refer : https://learn.microsoft.com/en-us/azure/vpn-gateway/openvpn-azure-ad-client#profile

    But if you still want to provide your users access to Azure portal to generate the VPN profile, the built-in role would be Network contributor, however, it will allow the users to manage all networks. To restrict the permissions, you can go with custom roles and assign P2S VPN resource level roles such as the below:

    Microsoft.Network/p2sVpnGateways/read - Gets a P2SVpnGateway.
    Microsoft.Network/p2sVpnGateways/generatevpnprofile/action - Generate Vpn Profile for P2SVpnGateway.

    Refer : https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#networking

    Kindly let us know if the above helps or you need further assistance on this issue.

    ----------------------------------------------------------------------------------------------------------------

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Alan Kinane 16,911 Reputation points MVP
    2022-03-08T11:16:38.757+00:00

    Hi Matt, ideally you don't want to be giving your end users any access to the Azure portal. The VPN client download is more of an admin task that should be performed by a user with administrative privileges.

    Have you another way to distribute the VPN client? For example, using a file share or through OneDrive?

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.