Create an Azure Active Directory tenant for P2S OpenVPN protocol connections
When connecting to your VNet, you can use certificate-based authentication or RADIUS authentication. However, when you use the Open VPN protocol, you can also use Azure Active Directory authentication. This article helps you set up an Azure AD tenant for P2S Open VPN authentication.
Note
Azure AD authentication is supported only for OpenVPN® protocol connections.
1. Verify Azure AD tenant
Verify that you have an Azure AD tenant. If you don't have an Azure AD tenant, you can create one using the steps in the Create a new tenant article:
- Organizational name
- Initial domain name
Example:
2. Create Azure AD tenant users
Your Azure AD tenant needs the following accounts: a Global Admin account and a master user account. The master user account is used as your master embedding account (service account). When you create an Azure AD tenant user account, you adjust the Directory role for the type of user that you want to create.
Use the steps in this article to create at least two users for your Azure AD tenant. Be sure to change the Directory Role to create the account types:
- Global Admin
- User
3. Enable Azure AD authentication on the VPN gateway
Locate the Directory ID of the directory that you want to use for authentication. It is listed in the properties section of the Active Directory page.
Copy the Directory ID.
Sign in to the Azure portal as a user that is assigned the Global administrator role.
Next, give admin consent. Copy and paste the URL that pertains to your deployment location in the address bar of your browser:
Public
https://login.microsoftonline.com/common/oauth2/authorize?client_id=41b23e61-6c1e-4545-b367-cd054e0ed4b4&response_type=code&redirect_uri=https://portal.azure.com&nonce=1234&prompt=admin_consentAzure Government
https://login.microsoftonline.us/common/oauth2/authorize?client_id=51bb15d4-3a4f-4ebf-9dca-40096fe32426&response_type=code&redirect_uri=https://portal.azure.us&nonce=1234&prompt=admin_consentMicrosoft Cloud Germany
https://login-us.microsoftonline.de/common/oauth2/authorize?client_id=538ee9e6-310a-468d-afef-ea97365856a9&response_type=code&redirect_uri=https://portal.microsoftazure.de&nonce=1234&prompt=admin_consentAzure China 21Vianet
https://login.chinacloudapi.cn/common/oauth2/authorize?client_id=49f817b6-84ae-4cc0-928c-73f27289b3aa&response_type=code&redirect_uri=https://portal.azure.cn&nonce=1234&prompt=admin_consentSelect the Global Admin account if prompted.
Select Accept when prompted.
Under your Azure AD, in Enterprise applications, you see Azure VPN listed.
If you don't already have a functioning point-to-site environment, follow the instruction to create one. See Create a point-to-site VPN to create and configure a point-to-site VPN gateway.
Important
The Basic SKU is not supported for OpenVPN.
Enable Azure AD authentication on the VPN gateway by navigating to Point-to-site configuration and picking OpenVPN (SSL) as the Tunnel type. Select Azure Active Directory as the Authentication type then fill in the information under the Azure Active Directory section.
Note
Make sure you include a trailing slash at the end of the
AadIssuerUrivalue. Otherwise, the connection may fail.Create and download the profile by clicking on the Download VPN client link.
Extract the downloaded zip file.
Browse to the unzipped “AzureVPN” folder.
Make a note of the location of the “azurevpnconfig.xml” file. The azurevpnconfig.xml contains the setting for the VPN connection and can be imported directly into the Azure VPN Client application. You can also distribute this file to all the users that need to connect via e-mail or other means. The user will need valid Azure AD credentials to connect successfully.
Next steps
In order to connect to your virtual network, you must create and configure a VPN client profile. See Configure a VPN client for P2S VPN connections.