Edit

Configure an Azure AD tenant for P2S User VPN OpenVPN protocol connections

  • Article
  • 2 minutes to read

When you connect to your VNet using Virtual WAN User VPN (point-to-site), you have a choice of which protocol to use. The protocol you use determines the authentication options that are available to you. If you're using the OpenVPN protocol, Azure Active Directory authentication is one of the authentication options available for you to use. This article helps you configure an Azure AD tenant for Virtual WAN User VPN (point-to-site) using OpenVPN authentication.

Note

Azure AD authentication is supported only for OpenVPNĀ® protocol connections and requires the Azure VPN Client.

1. Create the Azure AD tenant

Verify that you have an Azure AD tenant. If you don't have an Azure AD tenant, you can create one using the steps in the Create a new tenant article:

  • Organization name
  • Initial domain name

2. Create Azure AD tenant users

  1. Create two accounts in the newly created Azure AD tenant. For steps, see Add or delete a new user.

    • Global administrator account
    • User account

    The global administrator account will be used to grant consent to the Azure VPN app registration. The user account can be used to test OpenVPN authentication.

  2. Assign one of the accounts the Global administrator role. For steps, see Assign administrator and non-administrator roles to users with Azure Active Directory.

3. Grant consent to the Azure VPN app registration

  1. Sign in to the Azure portal as a user that is assigned the Global administrator role.

  2. Next, grant admin consent for your organization. This allows the Azure VPN application to sign in and read user profiles. Copy and paste the URL that pertains to your deployment location in the address bar of your browser:

    Public

    https://login.microsoftonline.com/common/oauth2/authorize?client_id=41b23e61-6c1e-4545-b367-cd054e0ed4b4&response_type=code&redirect_uri=https://portal.azure.com&nonce=1234&prompt=admin_consent

    Azure Government

    https://login.microsoftonline.us/common/oauth2/authorize?client_id=51bb15d4-3a4f-4ebf-9dca-40096fe32426&response_type=code&redirect_uri=https://portal.azure.us&nonce=1234&prompt=admin_consent

    Microsoft Cloud Germany

    https://login-us.microsoftonline.de/common/oauth2/authorize?client_id=538ee9e6-310a-468d-afef-ea97365856a9&response_type=code&redirect_uri=https://portal.microsoftazure.de&nonce=1234&prompt=admin_consent

    Azure China 21Vianet

    https://login.chinacloudapi.cn/common/oauth2/authorize?client_id=49f817b6-84ae-4cc0-928c-73f27289b3aa&response_type=code&redirect_uri=https://portal.azure.cn&nonce=1234&prompt=admin_consent

    Note

    If you're using a global admin account that is not native to the Azure AD tenant to provide consent, replace "common" with the Azure AD tenant ID in the URL. You may also have to replace "common" with your tenant ID in certain other cases as well. For help with finding your tenant ID, see How to find your Azure Active Directory tenant ID.

  3. Select the account that has the Global administrator role if prompted.

  4. On the Permissions requested page, select Accept.

  5. Go to Azure Active Directory. In the left pane, click Enterprise applications. You'll see Azure VPN listed.

    Screenshot of the Enterprise application page showing Azure V P N listed.

Next steps

In order to connect to your virtual networks using Azure AD authentication, you must create a User VPN configuration and associate it to a Virtual Hub. See Configure Azure AD authentication for point-to-site connection to Azure.