Configure the Azure VPN Client - Microsoft Entra authentication - macOS
This article helps you configure a VPN client for a computer running macOS 10.15 and later to connect to a virtual network using Point-to-Site VPN and Microsoft Entra authentication. Before you can connect and authenticate using Microsoft Entra ID, you must first configure your Microsoft Entra tenant. For more information, see Configure a Microsoft Entra tenant. For more information about Point-to-Site connections, see About Point-to-Site connections.
Note
- Microsoft Entra authentication is supported only for OpenVPNĀ® protocol connections and requires the Azure VPN Client.
- The Azure VPN client for macOS is currently not available in France and China due to local regulations and requirements.
For every computer that you want to connect to a virtual network using a Point-to-Site VPN connection, you need to do the following:
- Download the Azure VPN Client to the computer.
- Configure a client profile that contains the VPN settings.
If you want to configure multiple computers, you can create a client profile on one computer, export it, and then import it to other computers.
Prerequisites
Before you can connect and authenticate using Microsoft Entra ID, you must first configure your Microsoft Entra tenant. For more information, see Configure a Microsoft Entra tenant. Also, if your device is running MacOS M1 or MacOS M2, you must install Rosetta software if it is not already installed on the device, see instructions here.
Download the Azure VPN Client
- Download the Azure VPN Client from the Apple Store.
- Install the client on your computer.
Generate VPN client profile configuration files
- To generate the VPN client profile configuration package, see Working with P2S VPN client profile files.
- Download and extract the VPN client profile configuration files.
Import VPN client profile configuration files
Note
We're in the process of changing the Azure VPN Client fields for Azure Active Directory to Microsoft Entra. If you see Microsoft Entra fields referenced in this article, but don't yet see those values reflected in the client, select the comparable Azure Active Directory values.
On the Azure VPN Client page, select Import.
Navigate to the profile file that you want to import, select it, then click Open.
View the connection profile information. Change the Certificate Information value to show DigiCert Global Root G2, rather than the default or blank, then click Save.
In the VPN connections pane, select the connection profile that you saved. Then, click Connect.
Once connected, the status changes to Connected. To disconnect from the session, click Disconnect.
To create a connection manually
Open the Azure VPN Client. Select Add to create a new connection.
On the Azure VPN Client page, you can configure the profile settings. Change the Certificate Information value to show DigiCert Global Root G2, rather than the default or blank, then click Save.
Configure the following settings:
- Connection Name: The name by which you want to refer to the connection profile.
- VPN Server: This name is the name that you want to use to refer to the server. The name you choose here doesn't need to be the formal name of a server.
- Server Validation
- Certificate Information: The certificate CA.
- Server Secret: The server secret.
- Client Authentication
- Authentication Type: Microsoft Entra ID
- Tenant: Name of the tenant.
- Issuer: Name of the issuer.
After filling in the fields, click Save.
In the VPN connections pane, select the connection profile that you configured. Then, click Connect.
Using your credentials, sign in to connect.
Once connected, you'll see the Connected status. When you want to disconnect, click Disconnect to disconnect the connection.
To remove a VPN connection profile
You can remove the VPN connection profile from your computer.
Navigate to the Azure VPN Client.
Select the VPN connection that you want to remove, click the dropdown, and select Remove.
On the Remove VPN connection? box, click Remove.
Optional Azure VPN Client configuration settings
You can configure the Azure VPN Client with optional configuration settings such as additional DNS servers, custom DNS, forced tunneling, custom routes, and other additional settings. For a description of the available optional settings and configuration steps, see Azure VPN Client optional settings.
Next steps
For more information, see Create a Microsoft Entra tenant for P2S Open VPN connections that use Microsoft Entra authentication.
Feedback
https://aka.ms/ContentUserFeedback.
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see:Submit and view feedback for