Create an Azure Active Directory tenant for P2S OpenVPN protocol connections

When connecting to your VNet, you can use certificate-based authentication or RADIUS authentication. However, when you use the Open VPN protocol, you can also use Azure Active Directory authentication. This article helps you set up an Azure AD tenant for P2S Open VPN authentication.


Azure AD authentication is supported only for OpenVPN® protocol connections.

1. Create the Azure AD tenant

Create an Azure AD tenant using the steps in the Create a new tenant article:

  • Organizational name
  • Initial domain name


New Azure AD tenant

2. Create Azure AD tenant users

Next, create two user accounts. Create one Global Admin account and one master user account. The master user account is used as your master embedding account (service account). When you create an Azure AD tenant user account, you adjust the Directory role for the type of user that you want to create.

Use the steps in this article to create at least two users for your Azure AD tenant. Be sure to change the Directory Role to create the account types:

  • Global Admin
  • User

3. Enable Azure AD authentication on the VPN gateway

  1. Locate the Directory ID of the directory that you want to use for authentication. It is listed in the properties section of the Active Directory page.

    Directory ID

  2. Copy the Directory ID.

  3. Sign in to the Azure portal as a user that is assigned the Global administrator role.

  4. Next, give admin consent. Copy and paste the URL that pertains to your deployment location in the address bar of your browser:


    Azure Government

    Microsoft Cloud Germany

    Azure China 21Vianet
  5. Select the Global Admin account if prompted.

    Directory ID

  6. Select Accept when prompted.


  7. Under your Azure AD, in Enterprise applications, you see Azure VPN listed.

    Azure VPN

  8. If you don't already have a functioning point-to-site environment, follow the instruction to create one. See Create a point-to-site VPN to create and configure a point-to-site VPN gateway with native Azure certificate authentication.


    The Basic SKU is not supported for OpenVPN.

  9. Enable Azure AD authentication on the VPN gateway by running the following commands, being sure to modify the command to reflect your own environment:

    $gw = Get-AzVirtualNetworkGateway -Name <name of VPN gateway> -ResourceGroupName <Resource group>
    Set-AzVirtualNetworkGateway -VirtualNetworkGateway $gw -VpnClientRootCertificates @()
    Set-AzVirtualNetworkGateway -VirtualNetworkGateway $gw -AadTenantUri "<your Directory ID>" -AadAudienceId "41b23e61-6c1e-4545-b367-cd054e0ed4b4" -AadIssuerUri "<your Directory ID>/" -VpnClientAddressPool -VpnClientProtocol OpenVPN


    Make sure you include a trailing slash at the end of the AadIssuerUri value. Otherwise, the command will fail.

  10. Create and download the profile by running the following commands. Change the -ResourceGroupName and -Name values to match your own.

    $profile = New-AzVpnClientConfiguration -Name <name of VPN gateway> -ResourceGroupName <Resource group> -AuthenticationMethod "EapTls"
  11. After running the commands, you see a result similar to the one below. Copy the result URL to your browser to download the profile zip file.

    Azure VPN

  12. Extract the downloaded zip file.

  13. Browse to the unzipped “AzureVPN” folder.

  14. Make a note of the location of the “azurevpnconfig.xml” file. The azurevpnconfig.xml contains the setting for the VPN connection and can be imported directly into the Azure VPN Client application. You can also distribute this file to all the users that need to connect via e-mail or other means. The user will need valid Azure AD credentials to connect successfully.

Next steps

In order to connect to your virtual network, you must create and configure a VPN client profile. See Configure a VPN client for P2S VPN connections.