Enable Azure AD Multi-Factor Authentication (MFA) for VPN users

If you want users to be prompted for a second factor of authentication before granting access, you can configure Azure AD Multi-Factor Authentication (MFA). You can configure MFA on a per user basis, or you can leverage MFA via Conditional Access.

  • MFA per user can be enabled at no-additional cost. When enabling MFA per user, the user will be prompted for second factor authentication against all applications tied to the Azure AD tenant. See Option 1 for steps.
  • Conditional Access allows for finer-grained control over how a second factor should be promoted. It can allow assignment of MFA to only VPN, and exclude other applications tied to the Azure AD tenant. See Option 2 for steps.

Enable authentication

  1. Navigate to Azure Active Directory -> Enterprise applications -> All applications.

  2. On the Enterprise applications - All applications page, select Azure VPN.

    Directory ID

Configure sign-in settings

On the Azure VPN - Properties page, configure sign-in settings.

  1. Set Enabled for users to sign-in? to Yes. This setting allows all users in the AD tenant to connect to the VPN successfully.

  2. Set User assignment required? to Yes if you want to limit sign-in to only users that have permissions to the Azure VPN.

  3. Save your changes.

    Permissions

Option 1 - Per User access

Open the MFA page

  1. Sign in to the Azure portal.

  2. Navigate to Azure Active Directory -> All users.

  3. Select Multi-Factor Authentication to open the multi-factor authentication page.

    Sign in

Select users

  1. On the multi-factor authentication page, select the user(s) for whom you want to enable MFA.

  2. Select Enable.

    Select

Option 2 - Conditional Access

Conditional Access allows for fine-grained access control on a per-application basis. In order to use Conditional Access, you should have Azure AD Premium 1 or greater licensing applied to the users that will be subject to the Conditional Access rules.

  1. Navigate to the Enterprise applications - All applications page and click Azure VPN.

    • Click Conditional Access.
    • Click New policy to open the New pane.
  2. On the New pane, navigate to Assignments -> Users and groups. On the Users and groups -> Include tab:

    • Click Select users and groups.
    • Check Users and groups.
    • Click Select to select a group or set of users to be affected by MFA.
    • Click Done.

    Assignments

  3. On the New pane, navigate to the Access controls -> Grant pane:

    • Click Grant access.
    • Click Require multi-factor authentication.
    • Click Require all the selected controls.
    • Click Select.

    Grant access - MFA

  4. In the Enable policy section:

    • Select On.
    • Click Create.

    Enable Policy

Next steps

To connect to your virtual network, you must create and configure a VPN client profile. See Configure a VPN client for P2S VPN connections.