Azure Point-to-Site VPN with Azure AD Authentication and MFA

This video goes over how to deploy an Azure VNet Gateway on an existing VNet and enable Point-to-Site (P2S) VPN connections using Azure AD to authenticate the client.  A P2S connection allows clients to connect securely to an Azure Gateway and access resources on the private VNet.  The video goes on to demonstrate how enable Multi-Factor Authentication with a Conditional Access policy or enforcing MFA per-user.

Links

Azure P2S VPN with Certificate Authentication:
https://www.ciraltos.com/azure-point-to-site-vpn-with-certificate-based-authentication/

Link to Grant Admin Consent:

https://login.microsoftonline.com/common/oauth2/authorize?client_id=41b23e61-6c1e-4545-b367-cd054e0ed4b4&response_type=code&redirect_uri=https://portal.azure.com&nonce=1234&prompt=admin_consent

Azure AD User AD Configuration Settings Links

Tenant:
https://login.microsoftonline.com/<Tenant_ID>/

Audience:
41b23e61-6c1e-4545-b367-cd054e0ed4b4

Issuer:
https://sts.windows.net/<Tenant_ID>/

Source Link (Step 9)
https://docs.microsoft.com/en-us/azure/vpn-gateway/openvpn-azure-ad-tenant

One thought on “Azure Point-to-Site VPN with Azure AD Authentication and MFA

  1. This was a great video, thank you. I had struggled to find a way to integrate Azure P2S with MFA. The only downside is the ‘mfa claim satisfied by token’ issue with Azure tokens. Its good to share tokens for some cases, but it restricts the ability to FORCE MFA every time with CAPs. You can see this in the AAD sign-in logs. Have you seen a workaround to enforce MFA every single time with enterprise apps + caps by chance?

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.