It was Q4 2020 when I was asked to design a new Modern Workspace concept. The customer had no on-premises hardware/resources and wanted us to migrate everything into Azure. Because of the services they where using, a VPN connection to Azure was then required. Different options passed trough my mind but I decided to go for Azure Virtual Network Gateway. I really wanted this because the Azure AD identity provider support for authentication.
The endpoints are Azure AD joined, deployed via Autopilot and managed by Intune. We picked Azure VPN client for the connection and deployed a VPN profile in it via Endpoint Manager (Intune). Are u curious how it’s done? Continue reading!
Note: Most settings are default cause these are good enough for this demo and/or regular organizations. Depending on the bandwidth, total connections and/or speed requirements these settings can be different.
Create Virtual Network Gateway
- Create a resource group in Azure and click Create.
2. Search for Virtual network gateway, click Create.
Creating the virtual network gateway is straight forward. The Basic SKU would be good enough but in this case I picked VpnGW1. Different SKU’s are available but pricing increases every step. A quick view on pricing can be found here.
Note: OpenVPN is not available in the Basic SKU!
3. Create virtual network gateway
I assume that there’s no Virtual Network available yet and thus we create one via the Virtual Network Gateway creation wizard. For this demo the default address space and subnet is fine.
4. Create virtual network
5. Continue creating the virtual network gateway. Click Review + create to continue.
Here’s a quick summary of the VPN Gateway I’m creating and using for this demo. Click Create and wait until the VPN Gateway is deployed.
Note: I’ve seen deployments which took over 45 minutes to complete. I’m not 100 percent sure but if I remember right, this had something to do with registering a new public IP. If u have a public IP already this could be way faster. In my case it took 35 minutes to complete.
Azure VPN Enterprise App
First, we have to enable Azure AD Authentication to this Azure VPN Gateway. Therefor we have to add a specific Enterprise App and grant consent to it. Therefor u have to open one of the following URL’s which is depending on the current type of tenant you are using.
Azure Gov: https://login.microsoftonline.us/common/oauth2/authorize?client_id=51bb15d4-3a4f-4ebf-9dca-40096fe32426&response_type=code&redirect_uri=https://portal.azure.us&nonce=1234&prompt=admin_consent
Azure Germany: https://login-us.microsoftonline.de/common/oauth2/authorize?client_id=538ee9e6-310a-468d-afef-ea97365856a9&response_type=code&redirect_uri=https://portal.microsoftazure.de&nonce=1234&prompt=admin_consent
Azure China: https://login.chinacloudapi.cn/common/oauth2/authorize?client_id=49f817b6-84ae-4cc0-928c-73f27289b3aa&response_type=code&redirect_uri=https://portal.azure.cn&nonce=1234&prompt=admin_consent
6. Open the URL which belongs to your type of tenant and logon with a Global Admin account. Accept the requested permissions.
Once accepted, you should see the following Enterprise App in the Azure portal. Copy the application ID (41b23e61-6c1e-4545-b367-cd054e0ed4b4), we need this in the following step!
7. Open your your Virtual Network Gateway -> Point-to-site configuration -> Configure now
8. Configure the following settings.
- Address pool: The client VPN connections are receiving an IP in this range.
- Tunnel type: OpenVPN (SSL)
- Authentication type: Azure Active Directory
- Tenant: https://login.microsoftonline.com/9b508669-d87d-****-****-**********/ (Tenant ID)
- Audience: 41b23e61-6c1e-4545-b367-cd054e0ed4b4 (Enterprise App ID from step before)
- Issuer: https://sts.windows.net/9b508669-d87d-****-****-**********/ (Tenant ID)
Deploy the Azure VPN client via Intune / Endpoint Manager
9. Switch to Endpoint Manager / Intune: https://endpoint.microsoft.com. Add the Azure VPN client which can be found in the Microsoft Store for Business. Make sure the Endpoint Manager / Store for Business integration is configured.
After u requested the app Endpoint Manager / Intune needs some time to be available within the Endpoint Manager Apps list. U can try to speed up the process by forcing a sync.
10. If the Azure VPN Client application is available you should deploy it to your endpoints by group assignments. I recommended to use a device group for this application.
Prepare VPN Profile config
The VPN profile is a XML file with specific settings. This XML file is being deployed via Intune. Before we can deploy the XML we have to configure it. I’ll share a custom XML file below which needs to be modified! Read the steps below carefully!
11. Download the VPN Client and unpack the .zip file
12. Grab my Example VPN Profile from my Github and make the following modifications:
- Line 5: Modify the <TrustedNetworkDetection> setting to the DNS suffix, your DHCP server is sending out to your clients. This will be used to determine if a device is connected to the internal network or external. For example: contoso.local.
- Line 9: Modify the <ServerUrlList> setting. This value can be found in the Generic/VpnSettings.xml file which is in the downloaded .zip file from step 11.
- Line 18: Modify the <issuer> setting https://sts.windows.net/TENANTID/. This can Also be found in (see step 8)
- Line 19: Modify the <tenant> setting https://login.microsoftonline.com/TENANTID/. This can Also be found in (see step 8)
- Line 31: Modify the <name> setting. This is the VNET name which is created in step 4. For example: VNET1.
- Line 41: Modify the <fqdn> setting. This value can be found in the AzureVPN/azurevpnconfig.xml file which is in the downloaded .zip file from step 11.
- Line 46: Modify the <hash> setting. This value can be found in the AzureVPN/azurevpnconfig.xml file which is in the downloaded .zip file from step 11.
- Line 50: Modify the <serversecret> setting. This value can be found in the AzureVPN/azurevpnconfig.xml file which is in the downloaded .zip file from step 11.
Save your custom VPN profile as .XML and keep it somewhere safe! 🙂
Deploy VPN profile via Intune / Endpoint Manager
13. Switch to Endpoint Manager / Intune: https://endpoint.microsoft.com -> Devices -> Create Profile
14. Pick Windows 10 and later as platform and Templates as profile type. Click template name Custom.
15. Give your profile a name
16. Create a new OMA-URI Setting. I’m not sure if spacing is allowed in the fifth section. We have used – within all words. This is the profile name which is shown in the end-user device and Azure VPN client.
- Name: AO VPN Azure AD
- Description: Optional
- OMA-URI: ./User/Vendor/MSFT/VPNv2/Contoso-AO-VPN/ProfileXML
- Data type: String (XML file)
- Custom: XML: Import your VPN Profile XML file created in step 12.
17. Assign the configuration profile to a user group and wait until the profile is deployed.
Endpoint – User Experience
While the Azure VPN Client and VPN profile are deployed into the Endpoints, users will be required to follow the following steps.
18. Authentication with Azure AD (identity provider) is required. Click continue.
19. The VPN connection will now show disconnected. Click Connect.
20. Select the current logged on user account. Accept the MFA request (when CA/MFA is configured). If you don’t get a required MFA response you should have a look into this article. I recommend MFA for this kind of connections/apps.
21. When everything went ok, the connection will establish and stays connected. Keep in mind that the VPN connection will disconnect immediately if your DNS suffix matches the <TrustedNetworkDetection> in your VPN profile. Because of this you should test the Azure VPN connection via 4G/5G or remotely.
If your endpoints are connected to the Azure VPN Gateway, they will report their current IP addresses into the Point-to-site configuration dashboard.
9 thoughts on “Implement (Always On) Azure VPN Gateway, Deploy Azure VPN Client and VPN profile via Intune”
This is great, definitely adding this to my arsenal! Would be interested in getting this setup with Azure Certificate authentication also.
I know someone who’s working this concept with certificates. I’ll reply to your comment as soon as his blog is published. Give it a few days.
Here is the blog with certificate authentication. Maybe this is what u are looking for?
Really glad this is up and becomes useful to everyone!
Many thanks, saved me from the fuss with the config. Microsoft implement normal import, not through one place…
Hello, I have an Azure AD join device and want to use the method above to establish an always on VPN connection during autopilot before the user login. Can this we done?
The reason why I want to establish an automatic vpn connection is so my power shell script runs at logon to map network drives.
No, this is not the correct method. This is a user VPN. You probably need a devicd VPN. This could be done with a NPS server in your backend. Use google for “Azure AD device VPN” and i’m sure you will find something that works.
Really appreciate the guide, everything seems to be working as intended. We’d hoped to not be working with DNS-suffixes however, and rather use IP-ranges. Do you think it’s possible to design a VPN-profile that enables autoconnect if connected from an IP not in a set range?
Again, greatly appreciate the work. It has been of great help so far!
I actually don’t know.. I’m sorry. most common is using the dnssufffix.