Configure P2S for access based on users and groups - Azure AD authentication

When you use Azure AD as the authentication method for P2S, you can configure P2S to allow different access for different users and groups. If you want different sets of users to be able to connect to different VPN gateways, you can register multiple apps in AD and link them to different VPN gateways. This article helps you set up an Azure AD tenant for P2S Azure AD authentication and create and register multiple apps in Azure AD for allowing different access for different users and groups. For more information about point-to-site protocols and authentication, see About point-to-site VPN.

Note

Azure AD authentication is supported only for OpenVPN® protocol connections and requires the Azure VPN Client.

Azure AD tenant

The steps in this article require an Azure AD tenant. If you don't have an Azure AD tenant, you can create one using the steps in the Create a new tenant article. Note the following fields when creating your directory:

  • Organizational name
  • Initial domain name

Create Azure AD tenant users

  1. Create two accounts in the newly created Azure AD tenant. For steps, see Add or delete a new user.

    • Global administrator account
    • User account

    The global administrator account will be used to grant consent to the Azure VPN app registration. The user account can be used to test OpenVPN authentication.

  2. Assign one of the accounts the Global administrator role. For steps, see Assign administrator and non-administrator roles to users with Azure Active Directory.

Authorize the Azure VPN application

  1. Sign in to the Azure portal as a user that is assigned the Global administrator role.

  2. Next, grant admin consent for your organization. This allows the Azure VPN application to sign in and read user profiles. Copy and paste the URL that pertains to your deployment location in the address bar of your browser:

    Public

    https://login.microsoftonline.com/common/oauth2/authorize?client_id=41b23e61-6c1e-4545-b367-cd054e0ed4b4&response_type=code&redirect_uri=https://portal.azure.com&nonce=1234&prompt=admin_consent
    

    Azure Government

    https://login.microsoftonline.us/common/oauth2/authorize?client_id=51bb15d4-3a4f-4ebf-9dca-40096fe32426&response_type=code&redirect_uri=https://portal.azure.us&nonce=1234&prompt=admin_consent
    

    Microsoft Cloud Germany

    https://login-us.microsoftonline.de/common/oauth2/authorize?client_id=538ee9e6-310a-468d-afef-ea97365856a9&response_type=code&redirect_uri=https://portal.microsoftazure.de&nonce=1234&prompt=admin_consent
    

    Azure China 21Vianet

    https://login.chinacloudapi.cn/common/oauth2/authorize?client_id=49f817b6-84ae-4cc0-928c-73f27289b3aa&response_type=code&redirect_uri=https://portal.azure.cn&nonce=1234&prompt=admin_consent
    

    Note

    If you're using a global admin account that is not native to the Azure AD tenant to provide consent, replace "common" with the Azure AD tenant ID in the URL. You may also have to replace "common" with your tenant ID in certain other cases as well. For help with finding your tenant ID, see How to find your Azure Active Directory tenant ID.

  3. Select the account that has the Global administrator role if prompted.

  4. On the Permissions requested page, select Accept.

  5. Go to Azure Active Directory. In the left pane, click Enterprise applications. You'll see Azure VPN listed.

    Screenshot of the Enterprise application page showing Azure V P N listed.

Register additional applications

In this section, you can register additional applications for various users and groups. Repeat the steps to create as many applications that are needed for your security requirements. Each application will be associated to a VPN gateway and can have a different set of users. Only one application can be associated to a gateway.

Add a scope

  1. In the Azure portal, select Azure Active Directory.

  2. In the left pane, select App registrations.

  3. At the top of the App registrations page, select + New registration.

  4. On the Register an application page, enter the Name. For example, MarketingVPN. You can always change the name later.

    • Select the desired Supported account types.
    • At the bottom of the page, click Register.
  5. Once the new app has been registered, in the left pane, click Expose an API. Then click + Add a scope.

    • On the Add a scope page, leave the default Application ID URI.
    • Click Save and continue.
  6. The page returns back to the Add a scope page. Fill in the required fields and ensure that State is Enabled.

    Screenshot of Azure Active Directory add a scope page.

  7. When you're done filling out the fields, click Add scope.

Add a client application

  1. On the Expose an API page, click + Add a client application.

  2. On the Add a client application page, for Client ID, enter the following values depending on the cloud:

    • Azure Public: 41b23e61-6c1e-4545-b367-cd054e0ed4b4
    • Azure Government: 51bb15d4-3a4f-4ebf-9dca-40096fe32426
    • Azure Germany: 538ee9e6-310a-468d-afef-ea97365856a9
    • Azure China 21Vianet: 49f817b6-84ae-4cc0-928c-73f27289b3aa
  3. Select the checkbox for the Authorized scopes to include. Then, click Add application.

    Screenshot of Azure Active Directory add client application page.

  4. Click Add application.

Copy Application (client) ID

When you enable authentication on the VPN gateway, you'll need the Application (client) ID value in order to fill out the Audience value for the point-to-site configuration.

  1. Go to the Overview page.

  2. Copy the Application (client) ID from the Overview page and save it so that you can access this value later. You'll need this information to configure your VPN gateway(s).

    Screenshot showing Client ID value.

Assign users to applications

Assign the users to your applications.

  1. Go to your Azure Active Directory and select Enterprise applications.
  2. From the list, locate the application you just registered and click to open it.
  3. Click Properties. On the Properties page, verify that Enabled for users to sign in is set to Yes. If not, change the value to Yes, then Save.
  4. In the left pane, click Users and groups. On the Users and groups page, click + Add user/group to open the Add Assignment page.
  5. Click the link under Users and groups to open the Users and groups page. Select the users and groups that you want to assign, then click Select.
  6. After you finish selecting users and groups, click Assign.

Configure authentication for the gateway

In this step, you configure P2S Azure AD authentication for the virtual network gateway.

  1. Go to the virtual network gateway. In the left pane, click Point-to-site configuration.

    Screenshot showing point-to-site configuration page.

    Configure the following values:

    • Address pool: client address pool
    • Tunnel type: OpenVPN (SSL)
    • Authentication type: Azure Active Directory

    For Azure Active Directory values, use the following guidelines for Tenant, Audience, and Issuer values.

    • Tenant: https://login.microsoftonline.com/{TenantID}
    • Audience ID: Use the value that you created in the previous section that corresponds to Application (client) ID. Don't use the application ID for "Azure VPN" Azure AD Enterprise App - use application ID that you created and registered. If you use the application ID for the ""Azure VPN" Azure AD Enterprise App instead, this will grant all users access to the VPN gateway (which would be the default way to set up access), instead of granting only the users that you assigned to the application that you created and registered.
    • Issuer: https://sts.windows.net/{TenantID} For the Issuer value, make sure to include a trailing / at the end.
  2. Once you finish configuring settings, click Save at the top of the page.

Download the Azure VPN Client profile configuration package

In this section, you generate and download the Azure VPN Client profile configuration package. This package contains the settings that you can use to configure the Azure VPN Client profile on client computers.

  1. At the top of the Point-to-site configuration page, click Download VPN client. It takes a few minutes for the client configuration package to generate.

  2. Your browser indicates that a client configuration zip file is available. It's named the same name as your gateway.

  3. Extract the downloaded zip file.

  4. Browse to the unzipped "AzureVPN" folder.

  5. Make a note of the location of the “azurevpnconfig.xml” file. The azurevpnconfig.xml contains the setting for the VPN connection. You can also distribute this file to all the users that need to connect via e-mail or other means. The user will need valid Azure AD credentials to connect successfully. For more information, see Azure VPN client profile config files for Azure AD authentication.

Next steps