Enable Microsoft Entra multifactor authentication (MFA) for VPN users

If you want users to be prompted for a second factor of authentication before granting access, you can configure Microsoft Entra multifactor authentication (MFA). You can configure MFA on a per user basis, or you can leverage MFA via Conditional Access.

  • MFA per user can be enabled at no-additional cost. When you enable MFA per user, the user is prompted for second factor authentication against all applications tied to the Microsoft Entra tenant. See Option 1 for steps.
  • Conditional Access allows for finer-grained control over how a second factor should be promoted. It can allow assignment of MFA to only VPN, and exclude other applications tied to the Microsoft Entra tenant. See Option 2 for steps.

Enable authentication

  1. Navigate to Microsoft Entra ID -> Enterprise applications -> All applications.

  2. On the Enterprise applications - All applications page, select Azure VPN.

    Directory ID

Configure sign-in settings

On the Azure VPN - Properties page, configure sign-in settings.

  1. Set Enabled for users to sign-in? to Yes. This setting allows all users in the AD tenant to connect to the VPN successfully.

  2. Set User assignment required? to Yes if you want to limit sign-in to only users that have permissions to the Azure VPN.

  3. Save your changes.


Option 1 - Per User access

Open the MFA page

  1. Sign in to the Azure portal.

  2. Navigate to Microsoft Entra ID -> All users.

  3. Select Multi-Factor Authentication to open the multi-factor authentication page.

    Sign in

Select users

  1. On the multi-factor authentication page, select the user(s) for whom you want to enable MFA.

  2. Select Enable.


Option 2 - Conditional Access

Conditional Access allows for fine-grained access control on a per-application basis. In order to use Conditional Access, you should have Microsoft Entra ID P1 or P2 or greater licensing applied to the users that will be subject to the Conditional Access rules.

  1. Navigate to the Enterprise applications - All applications page and click Azure VPN.

    • Click Conditional Access.
    • Click New policy to open the New pane.
  2. On the New pane, navigate to Assignments -> Users and groups. On the Users and groups -> Include tab:

    • Click Select users and groups.
    • Check Users and groups.
    • Click Select to select a group or set of users to be affected by MFA.
    • Click Done.


  3. On the New pane, navigate to the Access controls -> Grant pane:

    • Click Grant access.
    • Click Require multi-factor authentication.
    • Click Require all the selected controls.
    • Click Select.

    Grant access - MFA

  4. In the Enable policy section:

    • Select On.
    • Click Create.

    Enable Policy

Next steps

To connect to your virtual network, you must create and configure a VPN client profile. See Configure a VPN client for P2S VPN connections.