Jump to content

Azure Client VPN using Azure AD & MFA


proximagr

1200 views

 Share

Azure Virtual Network Gateway provides the ability to connect to your Azure Virtual Network with Azure Client VPN (SSL) connections using your Azure AD or hybrid identity, with Multi Factor Authentication (MFA) and your Conditional Access policies.

We can have an Enterprise grade SSL VPN, with Active Directory authentication and Single Sign on (SSO) from your corporate laptops and apply all your conditional access policies, like MFA, Compliance devices, trused locations, etc.

How to create the VPN Gateway

Go to your Virtual Network’s subnets and create a Gateway subnet by clicking the “+ Gateway subnet”img_5ed6a426d77ae.png

Create a Virtual network gateway, by searching for the “Virtual network gateways” service and press Add.

img_5ed6a4931a565.png

Select “VPN”, “Route-based” and at the SKU select any size except the Basic. Basic SKU does not support Azure AD authentication.

img_5ed6a50482005.png

Create a Public IP and leave all other settings default and create the Gateway.

img_5ed6a85e07a51.png

After about 20 minutes the VPN Gateway is ready. In the meantime we will prepare the Azure AD and give concern to use the Azure AD with the Azure client VPN. Using a Global Admin account, go to the “Azure Active Directory” and copy the “Tenant ID” from the Overview blade, and keep it on a notepad.

img_5ed6b05cd34f5.png

Then copy the url and paste the below url to your browser’s address bar. You need to log in with a Global Admin non guest non Microsoft account.

https://login.microsoftonline.com/common/oauth2/authorize?client_id=41b23e61-6c1e-4545-b367-cd054e0ed4b4&response_type=code&redirect_uri=https://portal.azure.com&nonce=1234&prompt=admin_consent

With a guest or Microsoft account, even if it is Global Admin, you will be propted to login with an admin account, meaning a member work account.

img_5ed6b4475597c.png

Once you login with a member work Global Admin account, you can accept the permissions to create the Azure VPN application

img_5ed6b48355abd.png

You can navigate to the Azure Active Directory / Enterprise Application and view / manage the Azure AD application.

img_5ed6b4b4bf3bd.png

Open the Azure VPN enterprise application and copy the “Application ID” to a notepad.

img_5ed6b715717d7.png

Go to the VPN Gateway, select the “Point to site configuration” and click the “Configure now”

img_5ed6af1243349.png

Add the Address Pool that you want the VPN clients to have, for Tunnel type select “OpenVPN (SSL) as it is the only type that supports Azure AD authentication.

Then use the details that you have copied to the notepad, the Tenant ID and the Application ID, and add them to the required fields and press save.

img_5ed6b96e0f4ab.png

How to Download the VPN Client and Connect to the Gateway

Download the VPN client, using the button.

img_5ed6b9dbea812.png

Extrack the downloadded zip file

img_5ed6ba4ac8144.png

And at the AzureVPN folder you will find the configuration xml.

img_5ed6bab24518b.png

Open the Microsoft Store and get the Azure VPN Client

img_5ed6bb49de438.png

Open the Azure VPN Client and at the lower left corner, press the + and Import the xml configuration file

img_5ed6bc065436b.png

accept all the settings and press save

img_5ed6bc2cbe829.png

The Azure VPN connection will appear at the Azure VPN client and also at the Windows 10 network connections, like any other VPN

Azure VPN Client:

img_5ed6bc402e108.png

Windows 10 Network Connections:

img_5ed6bc7fb9a2f.png

Once you press connect, it will prompt you to connect using the account(s) that you are already using at your Windows 10 machine, or use a different account

img_5ed6bcd312f28.png

You will be prompted for MFA or any other conditional access policy you have applied, and the you will be connected.

img_5ed6bd8c30d69.png

Conditional Access & Multi-Factor Authentication (MFA)

You can add Conditional Access to the Azure client VPN connection. Go to Azure Active Directory / Security / Conditional Access and create a new Policy.

Select the “Azure VPN” at the “Cloud apps or actions” section

img_5ed735787be01.png

img_5ed735abe7b3b.png

At the Access Controls / Grand section, you can require multi-factor authentication, or AD Joined device, or compliant device, or all of that

img_5ed735cd68190.png

At the “Conditions” section you can controll the location that the policy will apply. Lets say, you can apply the MFA requirement at “Any location” and exclude the “Trusted locations”, in order to not require MFA when the device is at a trusted location, like your company’s network.

img_5ed73635a0fc0.png



https://www.e-apostolidis.gr/microsoft/azure/azure-client-vpn-with-azure-ad-auth-mfa-step-by-step-guide/

 Share

0 Comments


Recommended Comments

There are no comments to display.

Guest
Add a comment...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
×
×
  • Create New...