Microsoft Azure Active Directory (AAD) Authentication To Connect Point-To-Site VPN

Introduction

This blog will help you set Azure Active Directory level authentication to access Point-to-Site VPN from the user’s machine. It adds a level of security to your Azure infrastructure. The tunnel type should be Open VPN(SSL) to create the AAD authentication. This solution is helpful for end-users who want to connect to Azure VNets centers from a remote location, such as from home or a conference. You can also keep track of all the connections made to Azure VNet using P2S VPN with the help Azure Virtual Network gateway.

Prerequisites

• Virtual Network (VNet)
• VM inside above VNet
• Azure AD Tenant

Configuring Virtual Network gateway

3. Login to Azure Portal
4. Go to Virtual Network Gateway service from Azure portal and click on create to fill the data
5. mayank-MPN is the subscription, VGW-Dev as gateway name, now select the region of your Virtual Network, after that Virtual Network will automatically appear into the Virtual Network Section, SKU as VpnGw1 (includes max 250 connections with 640 Mbps throughput) and keep other options as the default shown in below screenshot.
   
6. Provide the gateway subnet range, or else it will automatically create based on CIDR, also created Public Ip named VGW-PIP-dev and keep other option as default mentioned in the below screenshot.
   
7. Provide appropriate tags for the resources. Now click on click + Create and then click on Review + create. 

Configuring AAD Authentication

1. Log in to the Azure portal as a user assigned the Global administrator access.
2. Go To Azure Active Directory Service. Under Properties, the page got to Tenant ID and copy it as shown in the below screenshot.
   
3. Next, Copy and paste the below URL in the browser the below URL is for Azure Public and add the Azure VPN application to your AAD https://login.microsoftonline.com/common/oauth2/authorize?client_id=41b23e61-6c1e-4545-b367-cd054e0ed4b4&response_type=code&redirect_uri=https://portal.azure.com&nonce=1234&prompt=admin_consent
   
   
4. Select the Global Admin account if prompted and accept the permission request.
5. Now in AAD under Enterprise application, Azure VPN application will be added
   
6. To add Azure AD authentication on the VPN gateway. First, go to Virtual Network gateway Service -> Point-to-Site configuration and select OpenVPN (SSL) as the Tunnel type. Next, select Azure Active Directory as the Authentication type, then provide the below information under the Azure Active Directory section.
   • Tenant: https://login.microsoftonline.com/{AzureAD TenantID}/
   • Audience ID (For Azure Public): 41b23e61-6c1e-4545-b367-cd054e0ed4b4
   • Issuer (For Secure token Service): https://sts.windows.net/{AzureAD TenantID}/
7. Click on Save and then click on Download VPN client to download file.
   
8. Extract the downloaded zip file and browse to the unzipped “AzureVPN” folder.
9. Location of the “azurevpnconfig.xml” file from the extracted folder. The azurevpnconfig.xml contains the setting for the VPN connection and can be imported directly into the Azure VPN Client application. The user will need valid Azure AD credentials from your tenant to connect successfully.
   

Checking the VPN Connection

1. Now Open Microsoft store and download Azure VPN Client, and open it once downloaded
   
2. Open the Azure VPN Client and click on Import as shown in the below screenshot
   
3. Now Select the azurevpnconfig file which we received while extracting the folder in the above steps. After that, click on save
   
4. Now click on connect to connect with VPN using Azure AD credentials
   
5. After that select your Azure AD account and click on Continue
   
   
6. Once it gets connected successfully the icon will turn green and display connected
   
7. You can now check that your machine will receive IP from the Point-to-Site Address poll
   
8. Now you can RDP into the Azure VM using VMs Private IP for me it is 10.2.1.4
   

Conclusion

A VPN connection establishes a secure connection between you and the internet. A P2S connection is established by starting it from the client’s computer. With the help of Azure Active Directory (AAD) security benefits, you can centrally create and manage users across your hybrid enterprise, keeping users, groups, and devices synchronized. Provide SSO access to your end applications with an additional layer of security and easy management.

About CloudThat