Create an Azure AD tenant for P2S OpenVPN protocol connections

When you connect to your VNet using Azure VPN Gateway Point-to-Site, you have a choice of which protocol to use. The protocol you use determines the authentication options that are available to you. If you want to use Azure Active Directory authentication, you can do so when using the OpenVPN protocol. This article helps you set up an Azure AD tenant. For more information about Point-to-Site protocols and authentication, see About Point-to-Site VPN.


Azure AD authentication is supported for OpenVPN® protocol connections only and requires the Azure VPN Client.

1. Verify Azure AD tenant

Verify that you have an Azure AD tenant. If you don't have an Azure AD tenant, you can create one using the steps in the Create a new tenant article. Note the following fields when creating your directory:

  • Organizational name
  • Initial domain name

2. Create Azure AD tenant users

Your Azure AD tenant needs the following accounts: a Global Admin account and a user account. The user account is used as your embedding account (service account). When you create an Azure AD tenant user account, you adjust the Directory role for the type of user that you want to create.

Use the steps in Add or delete users - Azure Active Directory to create at least two users for your Azure AD tenant. Be sure to change the Directory Role to create the account types:

  • Global Admin
  • User

3. Enable Azure AD authentication on the VPN gateway

  1. Locate the Tenant ID of the directory that you want to use for authentication. It's listed in the properties section of the Active Directory page. For help with finding your tenant ID, see How to find your Azure Active Directory tenant ID.

  2. Copy the Tenant ID.

  3. Sign in to the Azure portal as a user that is assigned the Global administrator role.

  4. Next, give admin consent. Copy and paste the URL that pertains to your deployment location in the address bar of your browser:


    Azure Government

    Microsoft Cloud Germany

    Azure China 21Vianet


    If you using a global admin account that is not native to the Azure AD tenant to provide consent, please replace “common” with the Azure AD tenant ID in the URL. You may also have to replace “common” with your tenant ID in certain other cases as well.

  5. Select the Global Admin account if prompted.

    Screnshot showing Pick an account page.

  6. Select Accept when prompted.

    Screenshot shows the message Permissions requested Accept for your organization with details and the option to accept.

  7. Under your Azure AD, in Enterprise applications, you see Azure VPN listed.

    Screenshot that shows the All applications page.

  8. If you don't already have a functioning point-to-site environment, follow the instruction to create one. See Create a point-to-site VPN to create and configure a point-to-site VPN gateway.


    The Basic SKU is not supported for OpenVPN.

  9. Enable Azure AD authentication on the VPN gateway by navigating to Point-to-site configuration and picking OpenVPN (SSL) as the Tunnel type. Select Azure Active Directory as the Authentication type, then fill in the information under the Azure Active Directory section.

    • Tenant: TenantID for the Azure AD tenant

      • Enter{AzureAD TenantID}/ for Azure Public AD
      • Enter{AzureAD TenantID/ for Azure Government AD
      • Enter{AzureAD TenantID/ for Azure Germany AD
      • Enter{AzureAD TenantID/ for China 21Vianet AD
    • Audience: Application ID of the "Azure VPN" Azure AD Enterprise App

      • Enter 41b23e61-6c1e-4545-b367-cd054e0ed4b4 for Azure Public
      • Enter 51bb15d4-3a4f-4ebf-9dca-40096fe32426 for Azure Government
      • Enter 538ee9e6-310a-468d-afef-ea97365856a9 for Azure Germany
      • Enter 49f817b6-84ae-4cc0-928c-73f27289b3aa for Azure China 21Vianet
    • Issuer: URL of the Secure Token Service{AzureAD TenantID}/

    Screenshot showing settings for Tunnel type, Authentication type, and Azure Active Directory settings.


    Make sure you include a trailing slash at the end of the AadIssuerUri value. Otherwise, the connection may fail.

  10. Create and download the profile by clicking on the Download VPN client link.

  11. Extract the downloaded zip file.

  12. Browse to the unzipped “AzureVPN” folder.

  13. Make a note of the location of the “azurevpnconfig.xml” file. The azurevpnconfig.xml contains the setting for the VPN connection and can be imported directly into the Azure VPN Client application. You can also distribute this file to all the users that need to connect via e-mail or other means. The user will need valid Azure AD credentials to connect successfully.

Next steps

Create and configure a VPN client profile. See Configure a VPN client for P2S VPN connections.