This blog will show you how to set Azure Active Directory level of authentication to allow Point-to-Site VPN access from the user’s computer. It adds security to your Azure infrastructure. To create the AAD authentication, the tunnel type should be Open VPN(SSL). This option is useful for end-users who wish to connect to Azure VNets centres from a remote location such as home or a conference. With the help of Azure Virtual Network gateway, you can also keep track all connections to Azure VNet via P2S VPN.
Virtual Network (VNet).
VM within the VNet
Azure AD Tenant
Configuring Virtual Network gateway
Register to Azure Portal
Click on Create to fill out the data.
Mayank-MPN is your subscription, VGW–Dev is your gateway name. Next, select the region where you want to create a Virtual Network. After that, the Virtual Network Section will automatically appear under the SKU as VpnGw1. (includes maximum 250 connections with 640 Mb throughput) and other options will remain the default as shown in the below screenshot.
You can specify the gateway subnet range or it will create an Ip based on CIDR. Also, VGW-PIP -dev was created Public Ip. Other options are available as default in the screenshot below.
Give appropriate tags to the resources. Click on click + Create, then click on Review + Create.
Configuring AAD Authentication
Log in to Azure portal as the Global administrator user.
Go To Azure Active Directory Service. Copy the Tenant ID from the Properties page as shown in the screenshot below.
Next, Copy and paste the below URL in the browser the below URL is for Azure Public and add the Azure VPN application to your AAD https://login.microsoftonline.com/common/oauth2/authorize?client_id=41b23e61-6c1e-4545-b367-cd054e0ed4b4&response_type=code&redirect_uri=https://portal.azure.com&nonce=1234&prompt=admin_consent
If prompted, select the Global Admin account and accept the permission request.
Azure VPN application will now be available in AAD under Enterprise Application
Azure AD authentication can be added to the VPN gateway. First, navigate to Virtual Network gateway Service-> Point-to Site configuration and choose OpenVPN (SSL). Next, select Azure Active Directory as the Authentication type, then provide the below information under the Azure Active Directory section.Tenant: https://login.microsoftonline.com/AzureAD TenantID/
Audience ID (For Azure Public): 41b23e61-6c1e-4545-b367-cd054e0ed4b4
Issuer (For Secure token Service): https://sts.windows.net/AzureAD TenantID/
To download the file, click on Save.
Extract the zip file and browse the unzipped “AzureVPN” folder.
The location of the “azurevpnconfig.xml” file from the extracted folder. The azurevpnconfig.xml file contains the settings for VPN connection and can be imported directly to the Azure VPN Client application. To connect successfully, the user will need to have valid Azure AD credentials from their tenant.
Checking the VPN Connection
Now, open Microsoft Store and download Azure VPN Client. Once downloaded, you can open it.
Click on Import in the Azure VPN Client as shown in the screenshot below
Now, select the azurevpnconfig.conf file that we extracted in the previous steps. Click on Save after that.
Click on Connect to connect with VPN using Azure AD credentials
Next, select Azure AD and click Continue
Once it is successfully connected, the icon will turn green to indicate that it is connected.
Now you can check if your machine will receive IP from Point-to-Site address poll
You can now RDP into Azure VMs using VMs Private IP. For me, it is 10.2.1.4
VPN connections establish a secure connection between your computer and the internet. A P2S connection