Edit

Configure P2S for access based on users and groups - Microsoft Entra authentication

  • Article

When you use Microsoft Entra ID as the authentication method for P2S, you can configure P2S to allow different access for different users and groups. If you want different sets of users to be able to connect to different VPN gateways, you can register multiple apps in AD and link them to different VPN gateways. This article helps you set up a Microsoft Entra tenant for P2S Microsoft Entra authentication and create and register multiple apps in Microsoft Entra ID for allowing different access for different users and groups. For more information about point-to-site protocols and authentication, see About point-to-site VPN.

Note

Microsoft Entra authentication is supported only for OpenVPN® protocol connections and requires the Azure VPN Client.

Microsoft Entra tenant

The steps in this article require a Microsoft Entra tenant. If you don't have a Microsoft Entra tenant, you can create one using the steps in the Create a new tenant article. Note the following fields when creating your directory:

  • Organizational name
  • Initial domain name

Create Microsoft Entra tenant users

  1. Create two accounts in the newly created Microsoft Entra tenant. For steps, see Add or delete a new user.

    • Global administrator account
    • User account

    The global administrator account will be used to grant consent to the Azure VPN app registration. The user account can be used to test OpenVPN authentication.

  2. Assign one of the accounts the Global administrator role. For steps, see Assign administrator and non-administrator roles to users with Microsoft Entra ID.

Authorize the Azure VPN application

  1. Sign in to the Azure portal as a user that is assigned the Global administrator role.

  2. Next, grant admin consent for your organization. This allows the Azure VPN application to sign in and read user profiles. Copy and paste the URL that pertains to your deployment location in the address bar of your browser:

    Public

    https://login.microsoftonline.com/common/oauth2/authorize?client_id=41b23e61-6c1e-4545-b367-cd054e0ed4b4&response_type=code&redirect_uri=https://portal.azure.com&nonce=1234&prompt=admin_consent

    Azure Government

    https://login.microsoftonline.us/common/oauth2/authorize?client_id=51bb15d4-3a4f-4ebf-9dca-40096fe32426&response_type=code&redirect_uri=https://portal.azure.us&nonce=1234&prompt=admin_consent

    Microsoft Cloud Germany

    https://login-us.microsoftonline.de/common/oauth2/authorize?client_id=538ee9e6-310a-468d-afef-ea97365856a9&response_type=code&redirect_uri=https://portal.microsoftazure.de&nonce=1234&prompt=admin_consent

    Microsoft Azure operated by 21Vianet

    https://login.chinacloudapi.cn/common/oauth2/authorize?client_id=49f817b6-84ae-4cc0-928c-73f27289b3aa&response_type=code&redirect_uri=https://portal.azure.cn&nonce=1234&prompt=admin_consent

    Note

    If you're using a global admin account that is not native to the Microsoft Entra tenant to provide consent, replace "common" with the Microsoft Entra tenant ID in the URL. You may also have to replace "common" with your tenant ID in certain other cases as well. For help with finding your tenant ID, see How to find your Microsoft Entra tenant ID.

  3. Select the account that has the Global administrator role if prompted.

  4. On the Permissions requested page, select Accept.

  5. Go to Microsoft Entra ID. In the left pane, click Enterprise applications. You'll see Azure VPN listed.

    Screenshot of the Enterprise application page showing Azure V P N listed.

Register additional applications

In this section, you can register additional applications for various users and groups. Repeat the steps to create as many applications that are needed for your security requirements. Each application will be associated to a VPN gateway and can have a different set of users. Only one application can be associated to a gateway.

Add a scope

  1. In the Azure portal, select Microsoft Entra ID.

  2. In the left pane, select App registrations.

  3. At the top of the App registrations page, select + New registration.

  4. On the Register an application page, enter the Name. For example, MarketingVPN. You can always change the name later.

    • Select the desired Supported account types.
    • At the bottom of the page, click Register.

  5. Once the new app has been registered, in the left pane, click Expose an API. Then click + Add a scope.

    • On the Add a scope page, leave the default Application ID URI.
    • Click Save and continue.

  6. The page returns back to the Add a scope page. Fill in the required fields and ensure that State is Enabled.

    Screenshot of Microsoft Entra ID add a scope page.

  7. When you're done filling out the fields, click Add scope.

Add a client application

  1. On the Expose an API page, click + Add a client application.

  2. On the Add a client application page, for Client ID, enter the following values depending on the cloud:

    • Azure Public: 41b23e61-6c1e-4545-b367-cd054e0ed4b4
    • Azure Government: 51bb15d4-3a4f-4ebf-9dca-40096fe32426
    • Azure Germany: 538ee9e6-310a-468d-afef-ea97365856a9
    • Microsoft Azure operated by 21Vianet: 49f817b6-84ae-4cc0-928c-73f27289b3aa

  3. Select the checkbox for the Authorized scopes to include. Then, click Add application.

    Screenshot of Microsoft Entra ID add client application page.

  4. Click Add application.

Copy Application (client) ID

When you enable authentication on the VPN gateway, you'll need the Application (client) ID value in order to fill out the Audience value for the point-to-site configuration.

  1. Go to the Overview page.

  2. Copy the Application (client) ID from the Overview page and save it so that you can access this value later. You'll need this information to configure your VPN gateway(s).

    Screenshot showing Client ID value.

Assign users to applications

Assign the users to your applications. If you're specifying a group, the user must be a direct member of the group. Nested groups aren't supported.

  1. Go to your Microsoft Entra ID and select Enterprise applications.
  2. From the list, locate the application you just registered and click to open it.
  3. Click Properties. On the Properties page, verify that Enabled for users to sign in is set to Yes. If not, change the value to Yes.
  4. For Assignment required, change the value to Yes. For more information about this setting, see Application properties.
  5. If you've made changes, click Save to save your settings.
  6. In the left pane, click Users and groups. On the Users and groups page, click + Add user/group to open the Add Assignment page.
  7. Click the link under Users and groups to open the Users and groups page. Select the users and groups that you want to assign, then click Select.
  8. After you finish selecting users and groups, click Assign.

Configure authentication for the gateway

Important

The Azure portal is in the process of updating Azure Active Directory fields to Entra. If you see Microsoft Entra ID referenced and you don't see those values in the portal yet, you can select Azure Active Directory values.

In this step, you configure P2S Microsoft Entra authentication for the virtual network gateway.

  1. Go to the virtual network gateway. In the left pane, click Point-to-site configuration.

    Screenshot showing point-to-site configuration page.

    Configure the following values:

    • Address pool: client address pool
    • Tunnel type: OpenVPN (SSL)
    • Authentication type: Microsoft Entra ID

    For Microsoft Entra ID values, use the following guidelines for Tenant, Audience, and Issuer values.

    • Tenant: https://login.microsoftonline.com/{TenantID}
    • Audience ID: Use the value that you created in the previous section that corresponds to Application (client) ID. Don't use the application ID for "Azure VPN" Microsoft Entra Enterprise App - use application ID that you created and registered. If you use the application ID for the "Azure VPN" Microsoft Entra Enterprise App instead, this will grant all users access to the VPN gateway (which would be the default way to set up access), instead of granting only the users that you assigned to the application that you created and registered.
    • Issuer: https://sts.windows.net/{TenantID} For the Issuer value, make sure to include a trailing / at the end.

  2. Once you finish configuring settings, click Save at the top of the page.

Download the Azure VPN Client profile configuration package

In this section, you generate and download the Azure VPN Client profile configuration package. This package contains the settings that you can use to configure the Azure VPN Client profile on client computers.

  1. At the top of the Point-to-site configuration page, click Download VPN client. It takes a few minutes for the client configuration package to generate.

  2. Your browser indicates that a client configuration zip file is available. It's named the same name as your gateway.

  3. Extract the downloaded zip file.

  4. Browse to the unzipped "AzureVPN" folder.

  5. Make a note of the location of the “azurevpnconfig.xml” file. The azurevpnconfig.xml contains the setting for the VPN connection. You can also distribute this file to all the users that need to connect via e-mail or other means. The user will need valid Microsoft Entra credentials to connect successfully. For more information, see Azure VPN client profile config files for Microsoft Entra authentication.

Next steps