Step 7.3. Configure the conditional access policy
Applies to: Windows Server 2022, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows 10
- Previous: Step 7.2. Create root certificates for VPN authentication with Azure AD
- Next: Step 7.4. Deploy conditional access root certificates to on-premises AD
In this step, you configure the conditional access policy for VPN connectivity. When the first root certificate is created in the 'VPN connectivity' blade, it automatically creates a 'VPN Server' cloud application in the tenant.
Create a Conditional Access policy that is assigned to VPN users group and scope the Cloud app to VPN Server:
- Users: VPN Users
- Cloud App: VPN Server
- Grant (access control): 'Require multi-factor authentication'. Other controls can be used if desired.
Procedure: This step covers creation of the most basic Conditional Access policy. If desired, additional Conditions and Controls can be used.
On the Conditional Access page, in the toolbar on the top, select Add.
On the New page, in the Name box, enter a name for your policy. For example, enter VPN policy.
In the Assignment section, select Users and groups.
On the Users and groups page, perform the following steps:
a. Select Select users and groups.
b. Select Select.
c. On the Select page, select the VPN users group, and then select Select.
d. On the Users and groups page, select Done.
On the New page, perform the following steps:
a. In the Assignments section, select Cloud apps.
b. On the Cloud apps page, select Select apps.
d. Select VPN Server.
On the New page, to open the Grant page, in the Controls section, select Grant.
On the Grant page, perform the following steps:
a. Select Require multi-factor authentication.
b. Select Select.
On the New page, under Enable policy, select On.
On the New page, select Create.
Step 7.4. Deploy conditional access root certificates to on-premises AD: In this step, you deploy the conditional access root certificate as trusted root certificate for VPN authentication to your on-premises AD.
Submit and view feedback for