Configure an Azure AD tenant for P2S OpenVPN protocol connections

When you connect to your VNet using the Azure VPN Gateway point-to-site VPN, you have a choice of which protocol to use. The protocol you use determines the authentication options that are available to you. If you're using the OpenVPN protocol, Azure Active Directory authentication is one of the authentication options available for you to use. This article helps you configure your AD tenant and P2S VPN gateway for Azure AD authentication. For more information about point-to-site protocols and authentication, see About point-to-site VPN.

Note

Azure AD authentication is supported only for OpenVPN® protocol connections and requires the Azure VPN Client.

1. Verify Azure AD tenant

Verify that you have an Azure AD tenant. If you don't have an Azure AD tenant, you can create one using the steps in the Create a new tenant article. Note the following fields when creating your directory:

• Organizational name
• Initial domain name

2. Create Azure AD tenant users

1. Create two accounts in the newly created Azure AD tenant. For steps, see Add or delete a new user.

   • Global administrator account
   • User account

   The global administrator account will be used to grant consent to the Azure VPN app registration. The user account can be used to test OpenVPN authentication.

2. Assign one of the accounts the Global administrator role. For steps, see Assign administrator and non-administrator roles to users with Azure Active Directory.

3. Enable Azure AD authentication on the VPN gateway

Enable the application

1. Sign in to the Azure portal as a user that is assigned the Global administrator role.

2. Next, grant admin consent for your organization. This allows the Azure VPN application to sign in and read user profiles. Copy and paste the URL that pertains to your deployment location in the address bar of your browser:

   Public

   https://login.microsoftonline.com/common/oauth2/authorize?client_id=41b23e61-6c1e-4545-b367-cd054e0ed4b4&response_type=code&redirect_uri=https://portal.azure.com&nonce=1234&prompt=admin_consent
   

   Azure Government

   https://login-us.microsoftonline.com/common/oauth2/authorize?client_id=51bb15d4-3a4f-4ebf-9dca-40096fe32426&response_type=code&redirect_uri=https://portal.azure.us&nonce=1234&prompt=admin_consent
   

   Microsoft Cloud Germany

   https://login-us.microsoftonline.de/common/oauth2/authorize?client_id=538ee9e6-310a-468d-afef-ea97365856a9&response_type=code&redirect_uri=https://portal.microsoftazure.de&nonce=1234&prompt=admin_consent
   

   Azure China 21Vianet

   https://https://login.chinacloudapi.cn/common/oauth2/authorize?client_id=49f817b6-84ae-4cc0-928c-73f27289b3aa&response_type=code&redirect_uri=https://portal.azure.cn&nonce=1234&prompt=admin_consent
   

   Note

   If you're using a global admin account that is not native to the Azure AD tenant to provide consent, replace "common" with the Azure AD tenant ID in the URL. You may also have to replace "common" with your tenant ID in certain other cases as well. For help with finding your tenant ID, see How to find your Azure Active Directory tenant ID.

3. Select the account that has the Global administrator role if prompted.

4. On the Permissions requested page, select Accept.

5. Go to Azure Active Directory. In the left pane, click Enterprise applications. You'll see Azure VPN listed.

   

Configure P2S gateway settings

1. Locate the tenant ID of the directory that you want to use for authentication. It's listed in the properties section of the Active Directory page. For help with finding your tenant ID, see How to find your Azure Active Directory tenant ID.

2. If you don't already have a functioning point-to-site environment, follow the instruction to create one. See Create a point-to-site VPN to create and configure a point-to-site VPN gateway.

   Important

   The Basic SKU is not supported for OpenVPN.

3. Enable Azure AD authentication on the VPN gateway by navigating to Point-to-site configuration and picking OpenVPN (SSL) as the Tunnel type. Select Azure Active Directory as the Authentication type, then fill in the information under the Azure Active Directory section. Replace {AzureAD TenantID} with your tenant ID.

   • Tenant: TenantID for the Azure AD tenant

     • Enter https://login.microsoftonline.com/{AzureAD TenantID}/ for Azure Public AD
     • Enter https://login.microsoftonline.us/{AzureAD TenantID/ for Azure Government AD
     • Enter https://login-us.microsoftonline.de/{AzureAD TenantID/ for Azure Germany AD
     • Enter https://login.chinacloudapi.cn/{AzureAD TenantID/ for China 21Vianet AD

   • Audience: Application ID of the "Azure VPN" Azure AD Enterprise App

     • Enter 41b23e61-6c1e-4545-b367-cd054e0ed4b4 for Azure Public
     • Enter 51bb15d4-3a4f-4ebf-9dca-40096fe32426 for Azure Government
     • Enter 538ee9e6-310a-468d-afef-ea97365856a9 for Azure Germany
     • Enter 49f817b6-84ae-4cc0-928c-73f27289b3aa for Azure China 21Vianet

   • Issuer: URL of the Secure Token Service https://sts.windows.net/{AzureAD TenantID}/

     

     Note

     Make sure you include a trailing slash at the end of the AadIssuerUri Issuer value. Otherwise, the connection may fail.

4. Save your changes.

5. Create and download the profile by clicking on the Download VPN client link.

6. Extract the downloaded zip file.

7. Browse to the unzipped “AzureVPN” folder.

8. Make a note of the location of the “azurevpnconfig.xml” file. The azurevpnconfig.xml contains the setting for the VPN connection and can be imported directly into the Azure VPN Client application. You can also distribute this file to all the users that need to connect via e-mail or other means. The user will need valid Azure AD credentials to connect successfully.

Next steps

Create and configure a VPN client profile. See Configure a VPN client for P2S VPN connections.