Configure a Microsoft Entra tenant for P2S User VPN OpenVPN protocol connections

When you connect to your VNet using Virtual WAN User VPN (point-to-site), you have a choice of which protocol to use. The protocol you use determines the authentication options that are available to you. If you're using the OpenVPN protocol, Microsoft Entra authentication is one of the authentication options available for you to use. This article helps you configure a Microsoft Entra tenant for Virtual WAN User VPN (point-to-site) using OpenVPN authentication.


Microsoft Entra ID authentication is supported only for OpenVPNĀ® protocol connections and requires the Azure VPN Client.

1. Create the Microsoft Entra tenant

Verify that you have a Microsoft Entra tenant. If you don't have a Microsoft Entra tenant, you can create one using the steps in the Create a new tenant article:

  • Organization name
  • Initial domain name

2. Create Microsoft Entra tenant users

  1. Create two accounts in the newly created Microsoft Entra tenant. For steps, see Add or delete a new user.

    • Global administrator account
    • User account

    The global administrator account will be used to grant consent to the Azure VPN app registration. The user account can be used to test OpenVPN authentication.

  2. Assign one of the accounts the Global administrator role. For steps, see Assign administrator and non-administrator roles to users with Microsoft Entra ID.

3. Grant consent to the Azure VPN app registration

  1. Sign in to the Azure portal as a user that is assigned the Global administrator role.

  2. Next, grant admin consent for your organization. This allows the Azure VPN application to sign in and read user profiles. Copy and paste the URL that pertains to your deployment location in the address bar of your browser:


    Azure Government

    Microsoft Cloud Germany

    Microsoft Azure operated by 21Vianet


    If you're using a global admin account that is not native to the Microsoft Entra tenant to provide consent, replace "common" with the Microsoft Entra tenant ID in the URL. You may also have to replace "common" with your tenant ID in certain other cases as well. For help with finding your tenant ID, see How to find your Microsoft Entra tenant ID.

  3. Select the account that has the Global administrator role if prompted.

  4. On the Permissions requested page, select Accept.

  5. Go to Microsoft Entra ID. In the left pane, click Enterprise applications. You'll see Azure VPN listed.

    Screenshot of the Enterprise application page showing Azure V P N listed.

Next steps

In order to connect to your virtual networks using Microsoft Entra authentication, you must create a User VPN configuration and associate it to a Virtual Hub. See Configure Microsoft Entra authentication for point-to-site connection to Azure.