Configure authentication using Microsoft Entra ID

2.2 Point-to-Site (P2S) VPN Connectivity

📘Microsoft Azure Networking Solutions (AZ-700)

1. What is Point-to-Site (P2S) VPN?

  • A Point-to-Site (P2S) VPN lets individual devices (like a developer’s laptop, a server in another office, or a VM) securely connect to an Azure Virtual Network (VNet) over the internet.
  • Unlike Site-to-Site VPN, which connects entire networks, P2S is device-to-Azure.

Think of it as giving a secure, personal tunnel from a single machine to your Azure network.

2. Why use Microsoft Entra ID for P2S VPN authentication?

  • Microsoft Entra ID (formerly Azure Active Directory) is a cloud identity provider.
  • By using Microsoft Entra ID authentication, you can:
    • Allow only authorized users to connect.
    • Remove the need to manage individual certificates manually.
    • Integrate with multi-factor authentication (MFA) for higher security.

So instead of installing a certificate for every user, the user signs in with their Azure AD credentials, just like logging into Office 365.

3. How P2S VPN with Microsoft Entra ID Works

  1. User requests VPN connection from their device.
  2. VPN client redirects authentication to Microsoft Entra ID login page.
  3. User enters credentials (username + password) or performs MFA if required.
  4. Microsoft Entra ID issues a token after successful login.
  5. VPN gateway in Azure validates the token.
  6. Connection is established to the VNet.

Key point: Microsoft Entra ID authentication is token-based, not certificate-based.

4. Requirements for Configuring P2S VPN with Microsoft Entra ID

To configure this setup, you need:

A. Azure Virtual Network and Gateway

  • A VNet with subnets for your resources.
  • A VPN Gateway deployed in the VNet.
    • Must be Route-based.
    • Supported SKUs for P2S:
      • VpnGw1, VpnGw2, VpnGw3 (Standard/High Performance).

B. Microsoft Entra ID Tenant

  • A working Microsoft Entra ID tenant (default or custom).
  • Users must exist in Entra ID to authenticate.

C. VPN Client Software

  • Azure supports:
    • Windows (built-in VPN client or Azure VPN Client)
    • macOS (Azure VPN Client)
    • Linux (OpenVPN-based)

D. P2S Configuration on the VPN Gateway

  • Authentication type: Azure Active Directory.
  • Provide:
    • Tenant ID of Entra ID
    • Application (client) ID of the VPN client registration in Entra ID
    • Audience (resource) ID for VPN Gateway

5. Steps to Configure P2S VPN with Microsoft Entra ID

Step 1: Create/Register an Application in Entra ID

  • Go to Microsoft Entra ID → App registrations → New registration.
  • Assign a name, e.g., P2S-VPN-App.
  • Set redirect URI to https://<VPN-Gateway-URL> (this allows the VPN client to use the token).

Step 2: Configure API Permissions

  • Add user_impersonation permission for Azure VPN Gateway.
  • Grant admin consent for all users.

Step 3: Configure the VPN Gateway

  • In the Azure Portal:
    1. Go to VPN Gateway → Point-to-site configuration.
    2. Set Authentication type to Azure Active Directory.
    3. Enter the Tenant ID, Application ID, and Audience from the Entra ID app.
    4. Configure the Address pool (IP addresses for P2S clients).
    5. Save the configuration.

Step 4: Download VPN Client Profile

  • From VPN Gateway → Point-to-site configuration → Download VPN client.
  • Users install this profile on their machines.

Step 5: Connect Using VPN Client

  • Launch VPN client → Select profile → Sign in with Microsoft Entra ID credentials.
  • If configured, MFA will prompt automatically.

6. Advantages of Microsoft Entra ID Authentication

AdvantageExplanation
Centralized user managementAll users are managed in Entra ID; no local certificates needed.
MFA supportAdds an extra layer of security.
Revocation controlDisable a user in Entra ID → immediately blocks VPN access.
Simplified scalingAdding/removing users doesn’t require reissuing certificates.

7. Key Exam Notes

  • Supported VPN clients must support Azure AD authentication.
  • VPN Gateway SKU must be Route-based, not Policy-based.
  • P2S with Microsoft Entra ID is token-based, not certificate-based.
  • Address pool is required for clients to get IPs in VNet.
  • MFA and Conditional Access policies can be applied to VPN users.
  • Azure AD login fails → VPN connection fails (important troubleshooting point).

8. Troubleshooting Tips (for the exam)

  • User cannot connect: Check if the user exists in Microsoft Entra ID and has permission.
  • MFA not prompting: Ensure Conditional Access policies are applied correctly.
  • Incorrect VPN profile: Download the latest profile after any gateway changes.
  • VPN gateway SKU issue: Only VpnGw1 or higher supports Azure AD authentication for P2S.

Summary for the Exam:

  • P2S VPN is for single-device connections to Azure VNets.
  • Microsoft Entra ID authentication allows user credentials + MFA instead of certificates.
  • Requires App registration in Entra ID, correct VPN Gateway SKU, and proper VPN client configuration.
  • Benefits: centralized user management, easy revocation, MFA, token-based security.
Buy Me a Coffee

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by