Configure a P2S VPN gateway for Microsoft Entra ID authentication

This article helps you configure your Microsoft Entra tenant and point-to-site (P2S) VPN Gateway settings for Microsoft Entra ID authentication. For more information about point-to-site protocols and authentication, see About VPN Gateway point-to-site VPN. To authenticate using Microsoft Entra ID authentication, you must include the OpenVPN tunnel type in your point-to-site configuration.


Microsoft Entra authentication is supported only for OpenVPN® protocol connections and requires the Azure VPN Client.


The steps in this article require a Microsoft Entra tenant. If you don't have a Microsoft Entra tenant, you can create one using the steps in the Create a new tenant article. Note the following fields when creating your directory:

  • Organizational name
  • Initial domain name

If you already have an existing P2S gateway, the steps in this article help you configure the gateway for Microsoft Entra ID authentication. You can also create a new VPN gateway. The link to create a new gateway is included in this article.

Create Microsoft Entra tenant users

  1. Create two accounts in the newly created Microsoft Entra tenant. For steps, see Add or delete a new user.

    • Global administrator account
    • User account

    The global administrator account will be used to grant consent to the Azure VPN app registration. The user account can be used to test OpenVPN authentication.

  2. Assign one of the accounts the Global administrator role. For steps, see Assign administrator and non-administrator roles to users with Microsoft Entra ID.

Authorize the Azure VPN application

  1. Sign in to the Azure portal as a user that is assigned the Global administrator role.

  2. Next, grant admin consent for your organization. This allows the Azure VPN application to sign in and read user profiles. Copy and paste the URL that pertains to your deployment location in the address bar of your browser:


    Azure Government

    Microsoft Cloud Germany

    Microsoft Azure operated by 21Vianet


    If you're using a global admin account that is not native to the Microsoft Entra tenant to provide consent, replace "common" with the Microsoft Entra tenant ID in the URL. You may also have to replace "common" with your tenant ID in certain other cases as well. For help with finding your tenant ID, see How to find your Microsoft Entra tenant ID.

  3. Select the account that has the Global administrator role if prompted.

  4. On the Permissions requested page, select Accept.

  5. Go to Microsoft Entra ID. In the left pane, click Enterprise applications. You'll see Azure VPN listed.

    Screenshot of the Enterprise application page showing Azure V P N listed.

Configure the VPN gateway


The Azure portal is in the process of updating Azure Active Directory fields to Entra. If you see Microsoft Entra ID referenced and you don't see those values in the portal yet, you can select Azure Active Directory values.

  1. Locate the tenant ID of the directory that you want to use for authentication. It's listed in the properties section of the Active Directory page. For help with finding your tenant ID, see How to find your Microsoft Entra tenant ID.

  2. If you don't already have a functioning point-to-site environment, follow the instruction to create one. See Create a point-to-site VPN to create and configure a point-to-site VPN gateway. When you create a VPN gateway, the Basic SKU isn't supported for OpenVPN.

  3. Go to the virtual network gateway. In the left pane, click Point-to-site configuration.

    Screenshot showing settings for Tunnel type, Authentication type, and Microsoft Entra settings.

    Configure the following values:

    • Address pool: client address pool
    • Tunnel type: OpenVPN (SSL)
    • Authentication type: Microsoft Entra ID

    For Microsoft Entra ID values, use the following guidelines for Tenant, Audience, and Issuer values. Replace {TenantID} with your tenant ID, taking care to remove {} from the examples when you replace this value.

    • Tenant: TenantID for the Microsoft Entra tenant. Enter the tenant ID that corresponds to your configuration. Make sure the Tenant URL doesn't have a \ (backslash) at the end. Forward slash is permissible.

      • Azure Public AD:{TenantID}
      • Azure Government AD:{TenantID}
      • Azure Germany AD:{TenantID}
      • China 21Vianet AD:{TenantID}
    • Audience: The Application ID of the "Azure VPN" Microsoft Entra Enterprise App.

      • Azure Public: 41b23e61-6c1e-4545-b367-cd054e0ed4b4
      • Azure Government: 51bb15d4-3a4f-4ebf-9dca-40096fe32426
      • Azure Germany: 538ee9e6-310a-468d-afef-ea97365856a9
      • Microsoft Azure operated by 21Vianet: 49f817b6-84ae-4cc0-928c-73f27289b3aa
    • Issuer: URL of the Secure Token Service. Include a trailing slash at the end of the Issuer value. Otherwise, the connection might fail. Example:

  4. Once you finish configuring settings, click Save at the top of the page.

Download the Azure VPN Client profile configuration package

In this section, you generate and download the Azure VPN Client profile configuration package. This package contains the settings that you can use to configure the Azure VPN Client profile on client computers.

  1. At the top of the Point-to-site configuration page, click Download VPN client. It takes a few minutes for the client configuration package to generate.

  2. Your browser indicates that a client configuration zip file is available. It's named the same name as your gateway.

  3. Extract the downloaded zip file.

  4. Browse to the unzipped "AzureVPN" folder.

  5. Make a note of the location of the “azurevpnconfig.xml” file. The azurevpnconfig.xml contains the setting for the VPN connection. You can also distribute this file to all the users that need to connect via e-mail or other means. The user will need valid Microsoft Entra credentials to connect successfully. For more information, see Azure VPN client profile config files for Microsoft Entra authentication.

Next steps