| title | titleSuffix | description | author | ms.service | ms.topic | ms.date | ms.author |
|---|---|---|---|---|---|---|---|
Configure P2S VPN gateway for Microsoft Entra ID authentication - manually registered App |
Azure VPN Gateway |
Learn how to set up a Microsoft Entra tenant and P2S gateway for P2S Microsoft Entra authentication - OpenVPN protocol. |
cherylmc |
vpn-gateway |
how-to |
05/15/2024 |
cherylmc |
This article helps you configure your Microsoft Entra tenant and point-to-site (P2S) VPN Gateway settings for Microsoft Entra ID authentication. For more information about point-to-site protocols and authentication, see About VPN Gateway point-to-site VPN. To authenticate using Microsoft Entra ID authentication, you must include the OpenVPN tunnel type in your point-to-site configuration.
[!INCLUDE OpenVPN note]
The steps in this article require a Microsoft Entra tenant. If you don't have a Microsoft Entra tenant, you can create one using the steps in the Create a new tenant article. Note the following fields when creating your directory:
- Organizational name
- Initial domain name
If you already have an existing P2S gateway, the steps in this article help you configure the gateway for Microsoft Entra ID authentication. You can also create a new VPN gateway. The link to create a new gateway is included in this article.
[!INCLUDE OpenVPN note]
-
Create two accounts in the newly created Microsoft Entra tenant. For steps, see Add or delete a new user.
- Global administrator account
- User account
The global administrator account will be used to grant consent to the Azure VPN app registration. The user account can be used to test OpenVPN authentication.
-
Assign one of the accounts the Global administrator role. For steps, see Assign administrator and non-administrator roles to users with Microsoft Entra ID.
[!INCLUDE Steps to authorize the Azure VPN app]
Important
[!INCLUDE Entra ID note for portal pages]
-
Locate the tenant ID of the directory that you want to use for authentication. It's listed in the properties section of the Active Directory page. For help with finding your tenant ID, see How to find your Microsoft Entra tenant ID.
-
If you don't already have a functioning point-to-site environment, follow the instruction to create one. See Create a point-to-site VPN to create and configure a point-to-site VPN gateway. When you create a VPN gateway, the Basic SKU isn't supported for OpenVPN.
-
Go to the virtual network gateway. In the left pane, click Point-to-site configuration.
:::image type="content" source="./media/openvpn-create-azure-ad-tenant/configuration.png" alt-text="Screenshot showing settings for Tunnel type, Authentication type, and Microsoft Entra settings.":::
Configure the following values:
- Address pool: client address pool
- Tunnel type: OpenVPN (SSL)
- Authentication type: Microsoft Entra ID
For Microsoft Entra ID values, use the following guidelines for Tenant, Audience, and Issuer values. Replace {TenantID} with your tenant ID, taking care to remove {} from the examples when you replace this value.
-
Tenant: TenantID for the Microsoft Entra tenant. Enter the tenant ID that corresponds to your configuration. Make sure the Tenant URL doesn't have a
\(backslash) at the end. Forward slash is permissible.- Azure Public AD:
https://login.microsoftonline.com/{TenantID} - Azure Government AD:
https://login.microsoftonline.us/{TenantID} - Azure Germany AD:
https://login-us.microsoftonline.de/{TenantID} - China 21Vianet AD:
https://login.chinacloudapi.cn/{TenantID}
- Azure Public AD:
-
Audience: The Application ID of the "Azure VPN" Microsoft Entra Enterprise App.
- Azure Public:
41b23e61-6c1e-4545-b367-cd054e0ed4b4 - Azure Government:
51bb15d4-3a4f-4ebf-9dca-40096fe32426 - Azure Germany:
538ee9e6-310a-468d-afef-ea97365856a9 - Microsoft Azure operated by 21Vianet:
49f817b6-84ae-4cc0-928c-73f27289b3aa
- Azure Public:
-
Issuer: URL of the Secure Token Service. Include a trailing slash at the end of the Issuer value. Otherwise, the connection might fail. Example:
https://sts.windows.net/{TenantID}/
-
Once you finish configuring settings, click Save at the top of the page.
In this section, you generate and download the Azure VPN Client profile configuration package. This package contains the settings that you can use to configure the Azure VPN Client profile on client computers.
[!INCLUDE Azure VPN Client profile configuration package]
- To connect to your virtual network, you must configure the Azure VPN client on your client computers. See Configure a VPN client for P2S VPN connections- Windows or Configure a VPN client for P2S VPN connections- macOS.
- For frequently asked questions, see the Point-to-site section of the VPN Gateway FAQ.