This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(307.2, 5%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESH%3C/text%3E%3C/svg%3E)
I'm setup an Azure VPN Gateway in my Test environment before setting it up in Production.
I'm using OpenSSL/Azure AD Authentication. I also have MFA enabled and that's working fine.
When I setup a test client, I had to login and perform MFA and it went through just fine. I'm able to connect to the resource I want. However, for security and revocation, I wanted to make sure that when I disable a user account, the VPN connect is also disabled. So I disabled the test user account, waited a few minutes - then I could still connect! At first, I thought it could be a timing issue so I gave it some more time but could still connect. Then I started going further - I revoked all sessions and revoked MFA. The user could still connect. Finally, I tested whether deleting the user would stop them but it didn't!
Once a user connects to Azure VPN Gateway, they can continue to connect even after their user account is disabled or even deleted. This was disturbing to find out and I bet anyone reading this using OpenSSL/Azure AD Auth is going to test this functionality and see the same problem.
I like the simplicity of Azure AD Auth and MFA (as opposed to certificates or RADIUS) but without the ability to revoke a user's access to VPN, I can't put this solution into Production.
Is there another place I need to go to revoke VPN access or is this just some oversight by microsoft?
Did you remove the client profile ?
When you test the first time... Did you enable connect automatically?
Regards!
Did you try Revoke-AzureADUserAllRefreshToken using PowerShell?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(310.4, 43%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBG%3C/text%3E%3C/svg%3E)
Any update on this?