Configure a Point-to-Site User VPN connection - Azure Active Directory authentication
This article shows you how to configure Azure AD authentication for User VPN in Virtual WAN to connect to your resources in Azure over an OpenVPN VPN connection. Azure Active Directory authentication is only available for gateways using the OpenVPN protocol. For more information about Virtual WAN, see the Virtual WAN Overview.
Note
Azure AD authentication is supported for OpenVPNĀ® protocol connections only and requires the Azure VPN client.
In this article, you learn how to:
- Create a virtual WAN
- Create a User VPN configuration
- Download a virtual WAN User VPN profile
- Create a virtual hub
- Edit a hub to add P2S gateway
- Connect a VNet to a virtual hub
- Download and apply the User VPN client configuration
- View your virtual WAN
Before you begin
Verify that you have met the following criteria before beginning your configuration:
You have a virtual network that you want to connect to. Verify that none of the subnets of your on-premises networks overlap with the virtual networks that you want to connect to. To create a virtual network in the Azure portal, see the Quickstart.
Your virtual network does not have any virtual network gateways. If your virtual network has a gateway (either VPN or ExpressRoute), you must remove all gateways. This configuration requires that virtual networks are connected instead, to the Virtual WAN hub gateway.
Obtain an IP address range for your hub region. The hub is a virtual network that is created and used by Virtual WAN. The address range that you specify for the hub cannot overlap with any of your existing virtual networks that you connect to. It also cannot overlap with your address ranges that you connect to on premises. If you are unfamiliar with the IP address ranges located in your on-premises network configuration, coordinate with someone who can provide those details for you.
If you don't have an Azure subscription, create a free account.
Create a virtual WAN
From a browser, navigate to the Azure portal and sign in with your Azure account.
In the portal, in the Search resources bar, type Virtual WAN in the search box and select Enter.
Select Virtual WANs from the results. On the Virtual WANs page, select + Create to open the Create WAN page.
On the Create WAN page, on the Basics tab, fill in the fields. Modify the example values to apply to your environment.
- Subscription: Select the subscription that you want to use.
- Resource group: Create new or use existing.
- Resource group location: Choose a resource location from the dropdown. A WAN is a global resource and does not live in a particular region. However, you must select a region in order to manage and locate the WAN resource that you create.
- Name: Type the Name that you want to call your virtual WAN.
- Type: Basic or Standard. Select Standard. If you select Basic, understand that Basic virtual WANs can only contain Basic hubs. Basic hubs can only be used for site-to-site connections.
After you finish filling out the fields, at the bottom of the page, select Review +Create.
Once validation passes, click Create to create the virtual WAN.
Create a User VPN configuration
A User VPN configuration defines the parameters for connecting remote clients. It is important to create the User VPN configuration before configuring your virtual hub with P2S settings, as you must specify the User VPN configuration you want to use.
Navigate to your Virtual WAN ->User VPN configurations page and click +Create user VPN config.
On the Basics page, specify the parameters.
- Configuration name - Enter the name you want to call your User VPN Configuration.
- Tunnel type - Select OpenVPN from the dropdown menu.
Click Azure Active Directory to open the page.
Toggle Azure Active Directory to Yes and supply the following values based on your tenant details. You can view the necessary values on the Azure Active Directory page for Enterprise applications in the portal.
- Authentication method - Select Azure Active Directory.
- Audience - Type in the Application ID of the Azure VPN Enterprise Application registered in your Azure AD tenant.
- Issuer -
https://sts.windows.net/<your Directory ID>/ - AAD Tenant -
https://login.microsoftonline.com/<your Directory ID>
Click Create to create the User VPN configuration. You will select this configuration later in the exercise.
Create an empty hub
For this exercise, we create an empty virtual hub. In the next section, you add a gateway to an already existing hub. However, it is also possible to combine these steps and create the hub with the P2S gateway settings all at once.
Locate the Virtual WAN that you created. On the Virtual WAN page, under the Connectivity section, select Hubs.
On the Hubs page, click + New Hub to open the Create virtual hub page.
On the Basics tab, fill in the values.
- Region: Select the region in which you want to deploy the virtual hub.
- Name: The name by which you want the virtual hub to be known.
- Hub private address space: The hub's address range in CIDR notation.
Click Review + create.
On the Validation passed page, click Create.
Add a P2S gateway to a hub
This section shows you how to add a gateway to an already existing virtual hub. This step can take up to 30 minutes for the hub to complete updating.
Navigate to the Hubs page under the virtual WAN.
Select the hub to which you want to associate the VPN server configuration and click the ellipsis (...) to show the menu. Then, click Edit virtual hub.
On the Edit virtual hub page, check the checkboxes for Include vpn gateway for vpn sites and Include point-to-site gateway to reveal the settings. Then configure the values.
- Gateway scale units: Select the Gateway scale units. Scale units represent the aggregate capacity of the User VPN gateway. If you select 40 or more gateway scale units, plan your client address pool accordingly. For information about how this setting impacts the client address pool, see About client address pools. For information about gateway scale units, see the FAQ.
- User VPN configuration: Select the configuration that you created earlier.
- Client address pool: Specify the client address pool from which the VPN clients will be assigned IP addresses. This setting corresponds to the gateway scale units that you
Click Confirm. It can take up to 30 minutes to update the hub.
Connect VNet to hub
In this section, you create a connection between your virtual hub and your VNet.
Navigate to your Virtual WAN.
Select Virtual network connections.
On the virtual network connection page, select +Add connection.
On the Add connection page, configure the required settings. For more information about routing settings, see About routing.
- Connection name: Name your connection.
- Hubs: Select the hub you want to associate with this connection.
- Subscription: Verify the subscription.
- Resource group: The resource group that contains the VNet.
- Virtual network: Select the virtual network you want to connect to this hub. The virtual network you select can't have an already existing virtual network gateway.
- Propagate to none: This is set to No by default. Changing the switch to Yes makes the configuration options for Propagate to Route Tables and Propagate to labels unavailable for configuration.
- Associate Route Table: You can select the route table that you want to associate.
- Static routes: You can use this setting to specify next hop.
Once you have completed the settings you want to configure, select Create to create the connection.
Download User VPN profile
All of the necessary configuration settings for the VPN clients are contained in a VPN client configuration zip file. The settings in the zip file help you easily configure the VPN clients. The VPN client configuration files that you generate are specific to the User VPN configuration for your gateway. In this section, you generate and download the files used to configure your VPN clients.
On the page for your virtual WAN, select User VPN configurations.
On the User VPN configurations page, select a configuration, then select Download virtual WAN user VPN profile.
When you download the WAN-level configuration, you get a built-in Traffic Manager-based User VPN profile.
For information about Global profiles and hub-based profiles, see Hub profiles. Failover scenarios are simplified with global profile.
If for some reason a hub is unavailable, the built-in traffic management provided by the service ensures connectivity (via a different hub) to Azure resources for point-to-site users. You can always download a hub-specific VPN configuration by navigating to the hub. Under User VPN (point to site), download the virtual hub User VPN profile.
On the Download virtual WAN user VPN profile page, select the Authentication type you want, then click Generate and download profile.
A profile package (zip file) containing the client configuration settings is generated and downloads to your computer.
Configure User VPN clients
Each computer that connects must have a client installed. You configure each client by using the VPN User client profile files that you downloaded in the previous steps. Use the article that pertains to the operating system that you want to connect.
To configure macOS VPN clients (Preview)
For macOS client instructions, see Configure a VPN client - macOS (Preview).
To configure Windows VPN clients
Download the Azure VPN Client to each computer.
Verify that the Azure VPN Client has permission to run in the background. To check and enable permissions, navigate to Start -> Settings -> Privacy -> Background Apps.
Under Background Apps, make sure Let apps run in the background is turned On.
Under Choose which apps can run in the background, turn settings for Azure VPN Client to On.
To import a VPN client profile (Windows)
On the page, select Import.
Browse to the profile xml file and select it. With the file selected, select Open.

Specify the name of the profile and select Save.

Select Connect to connect to the VPN.

Once connected, the icon will turn green and say Connected.

To delete a client profile - Windows
Select the ellipsis (...) next to the client profile that you want to delete. Then, select Remove.

Select Remove to delete.

Diagnose connection issues - Windows
To diagnose connection issues, you can use the Diagnose tool. Select the ellipsis (...) next to the VPN connection that you want to diagnose to reveal the menu. Then select Diagnose.

On the Connection Properties page, select Run Diagnosis.

Sign in with your credentials.

View the diagnosis results.

View your virtual WAN
- Navigate to the virtual WAN.
- On the Overview page, each point on the map represents a hub.
- In the Hubs and connections section, you can view hub status, site, region, VPN connection status, and bytes in and out.
Clean up resources
When you no longer need the resources that you created, delete them. Some of the Virtual WAN resources must be deleted in a certain order due to dependencies. Deleting can take about 30 minutes to complete.
Open the virtual WAN that you created.
Select a virtual hub associated to the virtual WAN to open the hub page.
Delete all gateway entities following the below order for the gateway type. This can take 30 minutes to complete.
VPN:
- Disconnect VPN Sites
- Delete VPN connections
- Delete VPN Gateways
ExpressRoute:
- Delete ExpressRoute Connections
- Delete ExpressRoute Gateways
You can either delete the hub at this point, or delete it later when you delete the resource group.
Repeat for all hubs associated to the virtual WAN.
Navigate to the resource group in the Azure portal.
Select Delete resource group. This deletes everything in the resource group, including the hubs and the virtual WAN.
Next steps
To learn more about Virtual WAN, see the Virtual WAN Overview page.