Configure the Azure VPN Client - Microsoft Entra authentication - macOS

This article helps you configure a VPN client for a computer running macOS 10.15 and later to connect to a virtual network using Point-to-Site VPN and Microsoft Entra authentication. Before you can connect and authenticate using Microsoft Entra ID, you must first configure your Microsoft Entra tenant. For more information, see Configure a Microsoft Entra tenant. For more information about Point-to-Site connections, see About Point-to-Site connections.

Note

  • Microsoft Entra authentication is supported only for OpenVPNĀ® protocol connections and requires the Azure VPN Client.
  • The Azure VPN client for macOS is currently not available in France and China due to local regulations and requirements.

For every computer that you want to connect to a virtual network using a Point-to-Site VPN connection, you need to do the following:

  • Download the Azure VPN Client to the computer.
  • Configure a client profile that contains the VPN settings.

If you want to configure multiple computers, you can create a client profile on one computer, export it, and then import it to other computers.

Prerequisites

Before you can connect and authenticate using Microsoft Entra ID, you must first configure your Microsoft Entra tenant. For more information, see Configure a Microsoft Entra tenant. Also, if your device is running MacOS M1 or MacOS M2, you must install Rosetta software if it is not already installed on the device, see instructions here.

Download the Azure VPN Client

  1. Download the Azure VPN Client from the Apple Store.
  2. Install the client on your computer.

Generate VPN client profile configuration files

  1. To generate the VPN client profile configuration package, see Working with P2S VPN client profile files.
  2. Download and extract the VPN client profile configuration files.

Import VPN client profile configuration files

Note

We're in the process of changing the Azure VPN Client fields for Azure Active Directory to Microsoft Entra. If you see Microsoft Entra fields referenced in this article, but don't yet see those values reflected in the client, select the comparable Azure Active Directory values.

  1. On the Azure VPN Client page, select Import.

    Screenshot of Azure VPN Client import selection.

  2. Navigate to the profile file that you want to import, select it, then click Open.

    Screenshot of Azure VPN Client import clicking open.

  3. View the connection profile information. Change the Certificate Information value to show DigiCert Global Root G2, rather than the default or blank, then click Save.

    Screenshot of Azure VPN Client saving the imported profile settings.

  4. In the VPN connections pane, select the connection profile that you saved. Then, click Connect.

    Screenshot of Azure VPN Client clicking Connect.

  5. Once connected, the status changes to Connected. To disconnect from the session, click Disconnect.

    Screenshot of Azure VPN Client connected status and disconnect button.

To create a connection manually

  1. Open the Azure VPN Client. Select Add to create a new connection.

    Screenshot of Azure VPN Client selecting Add.

  2. On the Azure VPN Client page, you can configure the profile settings. Change the Certificate Information value to show DigiCert Global Root G2, rather than the default or blank, then click Save.

    Screenshot of Azure VPN Client profile settings.

    Configure the following settings:

    • Connection Name: The name by which you want to refer to the connection profile.
    • VPN Server: This name is the name that you want to use to refer to the server. The name you choose here doesn't need to be the formal name of a server.
    • Server Validation
      • Certificate Information: The certificate CA.
      • Server Secret: The server secret.
    • Client Authentication
      • Authentication Type: Microsoft Entra ID
      • Tenant: Name of the tenant.
      • Issuer: Name of the issuer.
  3. After filling in the fields, click Save.

  4. In the VPN connections pane, select the connection profile that you configured. Then, click Connect.

    Screenshot of Azure VPN Client connecting.

  5. Using your credentials, sign in to connect.

    Screenshot of Azure VPN Client sign in to connect.

  6. Once connected, you'll see the Connected status. When you want to disconnect, click Disconnect to disconnect the connection.

    Screenshot of Azure VPN Client connected and disconnect button.

To remove a VPN connection profile

You can remove the VPN connection profile from your computer.

  1. Navigate to the Azure VPN Client.

  2. Select the VPN connection that you want to remove, click the dropdown, and select Remove.

    Screenshot of remove.

  3. On the Remove VPN connection? box, click Remove. Screenshot of removing.

Optional Azure VPN Client configuration settings

You can configure the Azure VPN Client with optional configuration settings such as additional DNS servers, custom DNS, forced tunneling, custom routes, and other additional settings. For a description of the available optional settings and configuration steps, see Azure VPN Client optional settings.

Next steps

For more information, see Create a Microsoft Entra tenant for P2S Open VPN connections that use Microsoft Entra authentication.