Configure an Azure AD tenant and P2S configuration for VPN Gateway P2S connections

This article helps you configure your AD tenant and P2S settings for Azure AD authentication. For more information about point-to-site protocols and authentication, see About VPN Gateway point-to-site VPN. To authenticate using the Azure AD authentication type, you must include the OpenVPN tunnel type in your point-to-site configuration.


Azure AD authentication is supported only for OpenVPN® protocol connections and requires the Azure VPN Client.

Azure AD tenant

The steps in this article require an Azure AD tenant. If you don't have an Azure AD tenant, you can create one using the steps in the Create a new tenant article. Note the following fields when creating your directory:

  • Organizational name
  • Initial domain name

Create Azure AD tenant users

  1. Create two accounts in the newly created Azure AD tenant. For steps, see Add or delete a new user.

    • Global administrator account
    • User account

    The global administrator account will be used to grant consent to the Azure VPN app registration. The user account can be used to test OpenVPN authentication.

  2. Assign one of the accounts the Global administrator role. For steps, see Assign administrator and non-administrator roles to users with Azure Active Directory.

Authorize the Azure VPN application

Authorize the application

  1. Sign in to the Azure portal as a user that is assigned the Global administrator role.

  2. Next, grant admin consent for your organization. This allows the Azure VPN application to sign in and read user profiles. Copy and paste the URL that pertains to your deployment location in the address bar of your browser:


    Azure Government

    Microsoft Cloud Germany

    Azure China 21Vianet


    If you're using a global admin account that is not native to the Azure AD tenant to provide consent, replace "common" with the Azure AD tenant ID in the URL. You may also have to replace "common" with your tenant ID in certain other cases as well. For help with finding your tenant ID, see How to find your Azure Active Directory tenant ID.

  3. Select the account that has the Global administrator role if prompted.

  4. On the Permissions requested page, select Accept.

  5. Go to Azure Active Directory. In the left pane, click Enterprise applications. You'll see Azure VPN listed.

    Screenshot of the Enterprise application page showing Azure V P N listed.

Configure authentication for the gateway

  1. Locate the tenant ID of the directory that you want to use for authentication. It's listed in the properties section of the Active Directory page. For help with finding your tenant ID, see How to find your Azure Active Directory tenant ID.

  2. If you don't already have a functioning point-to-site environment, follow the instruction to create one. See Create a point-to-site VPN to create and configure a point-to-site VPN gateway.


    The Basic SKU is not supported for OpenVPN.

  3. Go to the virtual network gateway. In the left pane, click Point-to-site configuration.

    Screenshot showing settings for Tunnel type, Authentication type, and Azure Active Directory settings.

    Configure the following values:

    • Address pool: client address pool
    • Tunnel type: OpenVPN (SSL)
    • Authentication type: Azure Active Directory

    For Azure Active Directory values, use the following guidelines for Tenant, Audience, and Issuer values. Replace {AzureAD TenantID} with your tenant ID.

    • Tenant: TenantID for the Azure AD tenant. Enter the tenant ID that corresponds to your configuration. Make sure the Tenant URL does not have a \ at the end.

      • Azure Public AD:{AzureAD TenantID}
      • Azure Government AD:{AzureAD TenantID}
      • Azure Germany AD:{AzureAD TenantID}
      • China 21Vianet AD:{AzureAD TenantID}
    • Audience: The Application ID of the "Azure VPN" Azure AD Enterprise App.

      • Azure Public: 41b23e61-6c1e-4545-b367-cd054e0ed4b4
      • Azure Government: 51bb15d4-3a4f-4ebf-9dca-40096fe32426
      • Azure Germany: 538ee9e6-310a-468d-afef-ea97365856a9
      • Azure China 21Vianet: 49f817b6-84ae-4cc0-928c-73f27289b3aa
    • Issuer: URL of the Secure Token Service. Include a trailing slash at the end of the Issuer value. Otherwise, the connection may fail.

      •{AzureAD TenantID}/
  4. Once you finish configuring settings, click Save at the top of the page.

Download the Azure VPN Client profile configuration package

In this section, you generate and download the Azure VPN Client profile configuration package. This package contains the settings that you can use to configure the Azure VPN Client profile on client computers.

  1. At the top of the Point-to-site configuration page, click Download VPN client. It takes a few minutes for the client configuration package to generate.

  2. Your browser indicates that a client configuration zip file is available. It's named the same name as your gateway.

  3. Extract the downloaded zip file.

  4. Browse to the unzipped "AzureVPN" folder.

  5. Make a note of the location of the “azurevpnconfig.xml” file. The azurevpnconfig.xml contains the setting for the VPN connection. You can also distribute this file to all the users that need to connect via e-mail or other means. The user will need valid Azure AD credentials to connect successfully. For more information, see Azure VPN client profile config files for Azure AD authentication.

Next steps