Step 7.3. Configure the conditional access policy

Applies to: Windows Server 2022, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows 10

In this step, you configure the conditional access policy for VPN connectivity. When the first root certificate is created in the 'VPN connectivity' blade, it automatically creates a 'VPN Server' cloud application in the tenant.

Create a Conditional Access policy that is assigned to VPN users group and scope the Cloud app to VPN Server:

  • Users: VPN Users
  • Cloud App: VPN Server
  • Grant (access control): 'Require multi-factor authentication'. Other controls can be used if desired.

Procedure: This step covers creation of the most basic Conditional Access policy.  If desired, additional Conditions and Controls can be used.

  1. On the Conditional Access page, in the toolbar on the top, select Add.

    Select add on conditional access page

  2. On the New page, in the Name box, enter a name for your policy. For example, enter VPN policy.

    Add name for policy on conditional access page

  3. In the Assignment section, select Users and groups.

    Select users and groups

  4. On the Users and groups page, perform the following steps:

    Select test user

    a. Select Select users and groups.

    b. Select Select.

    c. On the Select page, select the VPN users group, and then select Select.

    d. On the Users and groups page, select Done.

  5. On the New page, perform the following steps:

    Select cloud apps

    a. In the Assignments section, select Cloud apps.

    b. On the Cloud apps page, select Select apps.

    d. Select VPN Server.

  6. On the New page, to open the Grant page, in the Controls section, select Grant.

    Select grant

  7. On the Grant page, perform the following steps:

    Select require multi-factor authentication

    a. Select Require multi-factor authentication.

    b. Select Select.

  8. On the New page, under Enable policy, select On.

    Enable policy

  9. On the New page, select Create.

Next steps

Step 7.4. Deploy conditional access root certificates to on-premises AD: In this step, you deploy the conditional access root certificate as trusted root certificate for VPN authentication to your on-premises AD.