Did you remove the client profile ?
When you test the first time... Did you enable connect automatically?
Regards!
This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
I'm setup an Azure VPN Gateway in my Test environment before setting it up in Production.
I'm using OpenSSL/Azure AD Authentication. I also have MFA enabled and that's working fine.
When I setup a test client, I had to login and perform MFA and it went through just fine. I'm able to connect to the resource I want. However, for security and revocation, I wanted to make sure that when I disable a user account, the VPN connect is also disabled. So I disabled the test user account, waited a few minutes - then I could still connect! At first, I thought it could be a timing issue so I gave it some more time but could still connect. Then I started going further - I revoked all sessions and revoked MFA. The user could still connect. Finally, I tested whether deleting the user would stop them but it didn't!
Once a user connects to Azure VPN Gateway, they can continue to connect even after their user account is disabled or even deleted. This was disturbing to find out and I bet anyone reading this using OpenSSL/Azure AD Auth is going to test this functionality and see the same problem.
I like the simplicity of Azure AD Auth and MFA (as opposed to certificates or RADIUS) but without the ability to revoke a user's access to VPN, I can't put this solution into Production.
Is there another place I need to go to revoke VPN access or is this just some oversight by microsoft?
Did you remove the client profile ?
When you test the first time... Did you enable connect automatically?
Regards!
Did you try Revoke-AzureADUserAllRefreshToken using PowerShell?
Any update on this?