Create an Azure Active Directory tenant for P2S OpenVPN protocol connections
When connecting to your VNet, you can use certificate-based authentication or RADIUS authentication. However, when you use the Open VPN protocol, you can also use Azure Active Directory authentication. This article helps you set up an Azure AD tenant for P2S Open VPN authentication.
Azure AD authentication is supported only for OpenVPN® protocol connections.
1. Create the Azure AD tenant
Create an Azure AD tenant using the steps in the Create a new tenant article:
- Organizational name
- Initial domain name
2. Create Azure AD tenant users
Next, create two user accounts. Create one Global Admin account and one master user account. The master user account is used as your master embedding account (service account). When you create an Azure AD tenant user account, you adjust the Directory role for the type of user that you want to create.
Use the steps in this article to create at least two users for your Azure AD tenant. Be sure to change the Directory Role to create the account types:
- Global Admin
3. Enable Azure AD authentication on the VPN gateway
Locate the Directory ID of the directory that you want to use for authentication. It is listed in the properties section of the Active Directory page.
Copy the Directory ID.
Sign in to the Azure portal as a user that is assigned the Global administrator role.
Next, give admin consent. Copy and paste the URL that pertains to your deployment location in the address bar of your browser:
Microsoft Cloud Germany
Azure China 21Vianet
Select the Global Admin account if prompted.
Select Accept when prompted.
Under your Azure AD, in Enterprise applications, you see Azure VPN listed.
If you don't already have a functioning point-to-site environment, follow the instruction to create one. See Create a point-to-site VPN to create and configure a point-to-site VPN gateway with native Azure certificate authentication.
The Basic SKU is not supported for OpenVPN.
Enable Azure AD authentication on the VPN gateway by running the following commands, being sure to modify the command to reflect your own environment:
$gw = Get-AzVirtualNetworkGateway -Name <name of VPN gateway> -ResourceGroupName <Resource group> Set-AzVirtualNetworkGateway -VirtualNetworkGateway $gw -VpnClientRootCertificates @() Set-AzVirtualNetworkGateway -VirtualNetworkGateway $gw -AadTenantUri "https://login.microsoftonline.com/<your Directory ID>" -AadAudienceId "41b23e61-6c1e-4545-b367-cd054e0ed4b4" -AadIssuerUri "https://sts.windows.net/<your Directory ID>/" -VpnClientAddressPool 192.168.0.0/24 -VpnClientProtocol OpenVPN
Make sure you include a trailing slash at the end of the
AadIssuerUrivalue. Otherwise, the command will fail.
Create and download the profile by running the following commands. Change the -ResourceGroupName and -Name values to match your own.
$profile = New-AzVpnClientConfiguration -Name <name of VPN gateway> -ResourceGroupName <Resource group> -AuthenticationMethod "EapTls" $PROFILE.VpnProfileSASUrl
After running the commands, you see a result similar to the one below. Copy the result URL to your browser to download the profile zip file.
Extract the downloaded zip file.
Browse to the unzipped “AzureVPN” folder.
Make a note of the location of the “azurevpnconfig.xml” file. The azurevpnconfig.xml contains the setting for the VPN connection and can be imported directly into the Azure VPN Client application. You can also distribute this file to all the users that need to connect via e-mail or other means. The user will need valid Azure AD credentials to connect successfully.
In order to connect to your virtual network, you must create and configure a VPN client profile. See Configure a VPN client for P2S VPN connections.