Users can still connect after being deleted!

Scott Harper 1 Reputation point
2022-03-09T19:16:19.787+00:00

I'm setup an Azure VPN Gateway in my Test environment before setting it up in Production.

I'm using OpenSSL/Azure AD Authentication. I also have MFA enabled and that's working fine.

When I setup a test client, I had to login and perform MFA and it went through just fine. I'm able to connect to the resource I want. However, for security and revocation, I wanted to make sure that when I disable a user account, the VPN connect is also disabled. So I disabled the test user account, waited a few minutes - then I could still connect! At first, I thought it could be a timing issue so I gave it some more time but could still connect. Then I started going further - I revoked all sessions and revoked MFA. The user could still connect. Finally, I tested whether deleting the user would stop them but it didn't!

Once a user connects to Azure VPN Gateway, they can continue to connect even after their user account is disabled or even deleted. This was disturbing to find out and I bet anyone reading this using OpenSSL/Azure AD Auth is going to test this functionality and see the same problem.

I like the simplicity of Azure AD Auth and MFA (as opposed to certificates or RADIUS) but without the ability to revoke a user's access to VPN, I can't put this solution into Production.

Is there another place I need to go to revoke VPN access or is this just some oversight by microsoft?

Azure VPN Gateway
Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,404 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,856 questions
0 comments No comments
{count} votes

3 answers

Sort by: Most helpful
  1. risolis 8,701 Reputation points
    2022-03-10T02:26:44.707+00:00

    Hi @Scott Harper

    Did you remove the client profile ?

    When you test the first time... Did you enable connect automatically?

    Regards!

    0 comments No comments

  2. Udaiappa Ramachandran 726 Reputation points MVP
    2022-03-10T03:17:52.14+00:00

    Did you try Revoke-AzureADUserAllRefreshToken using PowerShell?

    0 comments No comments

  3. Brent Greenberg 1 Reputation point
    2022-06-15T20:07:33.22+00:00

    Any update on this?

    0 comments No comments