Configure an Azure VPN Client - Azure AD authentication - Windows
This article helps you configure the Azure VPN Client on a Windows computer to connect to a virtual network using a VPN Gateway point-to-site VPN and Azure Active Directory authentication. Before you can connect and authenticate using Azure AD, you must first configure your Azure AD tenant. For more information, see Configure an Azure AD tenant. For more information about point-to-site, see About point-to-site VPN.
Note
Azure AD authentication is supported only for OpenVPNĀ® protocol connections and requires the Azure VPN Client.
Workflow
After your Azure VPN Gateway point-to-site configuration is complete, your next steps are as follows:
- Download and install the Azure VPN Client.
- Generate the VPN client profile configuration package.
- Import the client profile settings to the VPN client.
- Create a connection.
- Optional - export the profile settings from the client and import to other client computers.
Download the Azure VPN Client
Download the latest version of the Azure VPN Client install files using one of the following links:
- Install using Client Install files: https://aka.ms/azvpnclientdownload.
- Install directly, when signed in on a client computer: Microsoft Store.
Install the Azure VPN Client to each computer.
Verify that the Azure VPN Client has permission to run in the background. For steps, see Windows background apps.
To verify the installed client version, open the Azure VPN Client. Go to the bottom of the client and click ... -> ? Help. In the right pane, you can see the client version number.
Generate the VPN client profile configuration package
To generate the VPN client profile configuration package, see Working with P2S VPN client profile files. After you generate the package, follow the steps to extract the profile configuration files.
Import the profile file
For Azure AD authentication configurations, the azurevpnconfig.xml is used. The file is located in the AzureVPN folder of the VPN client profile configuration package.
On the page, select Import.
Browse to the profile xml file and select it. With the file selected, select Open.
Specify the name of the profile and select Save.
Select Connect to connect to the VPN.
Once connected, the icon will turn green and say Connected.
Create a connection
On the page, select +, then + Add.
Fill out the connection information. If you're unsure of the values, contact your administrator. After filling out the values, select Save.
Select Connect to connect to the VPN.
Select the proper credentials, then select Continue.
Once successfully connected, the icon will turn green and say Connected.
To connect automatically
These steps help you configure your connection to connect automatically with Always-on.
On the home page for your VPN client, select VPN Settings.
Select Yes on the switch apps dialogue box.
Make sure the connection that you want to set isn't already connected, then highlight the profile and check the Connect automatically check box.
Select Connect to initiate the VPN connection.
Export and distribute a client profile
Once you have a working profile and need to distribute it to other users, you can export it using the following steps:
Highlight the VPN client profile that you want to export, select the ..., then select Export.
Select the location that you want to save this profile to, leave the file name as is, then select Save to save the xml file.
Delete a client profile
Select the ellipses next to the client profile that you want to delete. Then, select Remove.
Select Remove to delete.
Diagnose connection issues
To diagnose connection issues, you can use the Diagnose tool. Select the ... next to the VPN connection that you want to diagnose to reveal the menu. Then select Diagnose.
On the Connection Properties page, select Run Diagnosis.
Sign in with your credentials.
View the diagnosis results.
FAQ
Is the Azure VPN Client supported with Windows FIPS mode?
Yes, with the KB4577063 hotfix.
How do I add DNS suffixes to the VPN client?
You can modify the downloaded profile XML file and add the <dnssuffixes><dnssufix> </dnssufix></dnssuffixes> tags.
<azvpnprofile>
<clientconfig>
<dnssuffixes>
<dnssuffix>.mycorp.com</dnssuffix>
<dnssuffix>.xyz.com</dnssuffix>
<dnssuffix>.etc.net</dnssuffix>
</dnssuffixes>
</clientconfig>
</azvpnprofile>
How do I add custom DNS servers to the VPN client?
You can modify the downloaded profile XML file and add the <dnsservers><dnsserver> </dnsserver></dnsservers> tags.
<azvpnprofile>
<clientconfig>
<dnsservers>
<dnsserver>x.x.x.x</dnsserver>
<dnsserver>y.y.y.y</dnsserver>
</dnsservers>
</clientconfig>
</azvpnprofile>
Note
The OpenVPN Azure AD client utilizes DNS Name Resolution Policy Table (NRPT) entries, which means DNS servers will not be listed under the output of ipconfig /all
. To confirm your in-use DNS settings, please consult Get-DnsClientNrptPolicy in PowerShell.
Can I configure split tunneling for the VPN client?
Split tunneling is configured by default for the VPN client.
How do I direct all traffic to the VPN tunnel (forced tunneling)?
You can configure forced tunneling using two different methods; either by advertising custom routes, or by modifying the profile XML file.
Note
Internet connectivity is not provided through the VPN gateway. As a result, all traffic bound for the Internet is dropped.
Advertise custom routes: You can advertise custom routes 0.0.0.0/1 and 128.0.0.0/1. For more information, see Advertise custom routes for P2S VPN clients.
Profile XML: You can modify the downloaded profile XML file to add the <includeroutes><route><destination><mask> </destination></mask></route></includeroutes> tags.
<azvpnprofile> <clientconfig> <includeroutes> <route> <destination>0.0.0.0</destination><mask>1</mask> </route> <route> <destination>128.0.0.0</destination><mask>1</mask> </route> </includeroutes> </clientconfig> </azvpnprofile>
How do I add custom routes to the VPN client?
You can modify the downloaded profile XML file and add the <includeroutes><route><destination><mask> </destination></mask></route></includeroutes> tags.
<azvpnprofile>
<clientconfig>
<includeroutes>
<route>
<destination>x.x.x.x</destination><mask>24</mask>
</route>
</includeroutes>
</clientconfig>
</azvpnprofile>
How do I block (exclude) routes from the VPN client?
You can modify the downloaded profile XML file and add the <excluderoutes><route><destination><mask> </destination></mask></route></excluderoutes> tags.
<azvpnprofile>
<clientconfig>
<excluderoutes>
<route>
<destination>x.x.x.x</destination><mask>24</mask>
</route>
</excluderoutes>
</clientconfig>
</azvpnprofile>
Can I import the profile from a command-line prompt?
You can import the profile from a command-line prompt by placing the downloaded azurevpnconfig.xml file in the %userprofile%\AppData\Local\Packages\Microsoft.AzureVpn_8wekyb3d8bbwe\LocalState folder and running the following command:
azurevpn -i azurevpnconfig.xml
To force the import, use the -f switch.
Next steps
For more information, see Create an Azure AD tenant for P2S Open VPN connections that use Azure AD authentication.
Feedback
Submit and view feedback for