Configure the Azure VPN Client - Azure AD authentication - macOS
This article helps you configure a VPN client for a computer running macOS 10.15 and later to connect to a virtual network using Point-to-Site VPN and Azure Active Directory authentication. Before you can connect and authenticate using Azure AD, you must first configure your Azure AD tenant. For more information, see Configure an Azure AD tenant. For more information about Point-to-Site connections, see About Point-to-Site connections.
- Azure AD authentication is supported only for OpenVPN® protocol connections and requires the Azure VPN Client.
- The Azure VPN client for macOS is currently not available in France and China due to local regulations and requirements.
For every computer that you want to connect to a VNet using a Point-to-Site VPN connection, you need to do the following:
- Download the Azure VPN Client to the computer.
- Configure a client profile that contains the VPN settings.
If you want to configure multiple computers, you can create a client profile on one computer, export it, and then import it to other computers.
Before you can connect and authenticate using Azure AD, you must first configure your Azure AD tenant. For more information, see Configure an Azure AD tenant.
Download the Azure VPN Client
- Download the Azure VPN Client from the Apple Store.
- Install the client on your computer.
Generate VPN client profile configuration files
- To generate the VPN client profile configuration package, see Working with P2S VPN client profile files.
- Download and extract the VPN client profile configuration files.
Import VPN client profile configuration files
On the Azure VPN Client page, select Import.
Navigate to the profile file that you want to import, select it, then click Open.
View the connection profile information. Change the Certificate Information value to show DigiCert Global Root G2, rather than the default or blank, then click Save.
In the VPN connections pane, select the connection profile that you saved. Then, click Connect.
Once connected, the status will change to Connected. To disconnect from the session, click Disconnect.
To create a connection manually
Open the Azure VPN Client. Select Add to create a new connection.
On the Azure VPN Client page, you can configure the profile settings. Change the Certificate Information value to show DigiCert Global Root G2, rather than the default or blank, then click Save.
Configure the following settings:
- Connection Name: The name by which you want to refer to the connection profile.
- VPN Server: This name is the name that you want to use to refer to the server. The name you choose here does not need to be the formal name of a server.
- Server Validation
- Certificate Information: The certificate CA.
- Server Secret: The server secret.
- Client Authentication
- Authentication Type: Azure Active Directory
- Tenant: Name of the tenant.
- Issuer: Name of the issuer.
After filling in the fields, click Save.
In the VPN connections pane, select the connection profile that you configured. Then, click Connect.
Using your credentials, sign in to connect.
Once connected, you will see the Connected status. When you want to disconnect, click Disconnect to disconnect the connection.
To remove a VPN connection profile
You can remove the VPN connection profile from your computer.
Navigate to the Azure VPN Client.
Select the VPN connection that you want to remove, click the dropdown, and select Remove.
On the Remove VPN connection? box, click Remove.
Optional Azure VPN Client configuration settings
You can configure the Azure VPN Client with optional configuration settings such as additional DNS servers, custom DNS, forced tunneling, custom routes, and other additional settings. For a description of the available optional settings and configuration steps, see Azure VPN Client optional settings.
For more information, see Create an Azure AD tenant for P2S Open VPN connections that use Azure AD authentication.
Submit and view feedback for