It was Q4 2020 when I was asked to design a new Modern Workspace concept. The customer had no on-premises hardware/resources and wanted us to migrate everything into Azure. Because of the services they where using, a VPN connection to Azure was then required. Different options passed trough my mind but I decided to go for Azure Virtual Network Gateway. I really wanted this because the Azure AD identity provider support for authentication.
The endpoints are Azure AD joined, deployed via Autopilot and managed by Intune. We picked Azure VPN client for the connection and deployed a VPN profile in it via Endpoint Manager (Intune). Are u curious how it’s done? Continue reading!
Note: Most settings are default cause these are good enough for this demo and/or regular organizations. Depending on the bandwidth, total connections and/or speed requirements these settings can be different.
Create Virtual Network Gateway
- Create a resource group in Azure and click Create.
2. Search for Virtual network gateway, click Create.
Creating the virtual network gateway is straight forward. The Basic SKU would be good enough but in this case I picked VpnGW1. Different SKU’s are available but pricing increases every step. A quick view on pricing can be found here.
Note: OpenVPN is not available in the Basic SKU!
3. Create virtual network gateway
I assume that there’s no Virtual Network available yet and thus we create one via the Virtual Network Gateway creation wizard. For this demo the default address space and subnet is fine.
4. Create virtual network
5. Continue creating the virtual network gateway. Click Review + create to continue.
Here’s a quick summary of the VPN Gateway I’m creating and using for this demo. Click Create and wait until the VPN Gateway is deployed.
Note: I’ve seen deployments which took over 45 minutes to complete. I’m not 100 percent sure but if I remember right, this had something to do with registering a new public IP. If u have a public IP already this could be way faster. In my case it took 35 minutes to complete.
Azure VPN Enterprise App
First, we have to enable Azure AD Authentication to this Azure VPN Gateway. Therefor we have to add a specific Enterprise App and grant consent to it. Therefor u have to open one of the following URL’s which is depending on the current type of tenant you are using.
Public: https://login.microsoftonline.com/common/oauth2/authorize?client_id=41b23e61-6c1e-4545-b367-cd054e0ed4b4&response_type=code&redirect_uri=https://portal.azure.com&nonce=1234&prompt=admin_consent
Azure Gov: https://login.microsoftonline.us/common/oauth2/authorize?client_id=51bb15d4-3a4f-4ebf-9dca-40096fe32426&response_type=code&redirect_uri=https://portal.azure.us&nonce=1234&prompt=admin_consent
Azure Germany: https://login-us.microsoftonline.de/common/oauth2/authorize?client_id=538ee9e6-310a-468d-afef-ea97365856a9&response_type=code&redirect_uri=https://portal.microsoftazure.de&nonce=1234&prompt=admin_consent
Azure China: https://login.chinacloudapi.cn/common/oauth2/authorize?client_id=49f817b6-84ae-4cc0-928c-73f27289b3aa&response_type=code&redirect_uri=https://portal.azure.cn&nonce=1234&prompt=admin_consent
6. Open the URL which belongs to your type of tenant and logon with a Global Admin account. Accept the requested permissions.
Once accepted, you should see the following Enterprise App in the Azure portal. Copy the application ID (41b23e61-6c1e-4545-b367-cd054e0ed4b4), we need this in the following step!
Point-to-site configuration
7. Open your your Virtual Network Gateway -> Point-to-site configuration -> Configure now
8. Configure the following settings.
- Address pool: The client VPN connections are receiving an IP in this range.
- Tunnel type: OpenVPN (SSL)
- Authentication type: Azure Active Directory
- Tenant: https://login.microsoftonline.com/9b508669-d87d-****-****-**********/ (Tenant ID)
- Audience: 41b23e61-6c1e-4545-b367-cd054e0ed4b4 (Enterprise App ID from step before)
- Issuer: https://sts.windows.net/9b508669-d87d-****-****-**********/ (Tenant ID)
Deploy the Azure VPN client via Intune / Endpoint Manager
9. Switch to Endpoint Manager / Intune: https://intune.microsoft.com. Add the Azure VPN client which can be found in the new Microsoft Store. Click Add -> Select Microsoft Store app (new).
Search for the Azure VPN Client App.
Click Next and assign the application for all devices or a specific group.
Prepare VPN Profile config
The VPN profile is a XML file with specific settings. This XML file is being deployed via Intune. Before we can deploy the XML we have to configure it. I’ll share a custom XML file below which needs to be modified! Read the steps below carefully!
10. Download the VPN Client and unpack the .zip file
11. Grab my Example VPN Profile from my Github and make the following modifications:
- Line 5: Modify the <TrustedNetworkDetection> setting to the DNS suffix, your DHCP server is sending out to your clients. This will be used to determine if a device is connected to the internal network or external. For example: contoso.local.
- Line 9: Modify the <ServerUrlList> setting. This value can be found in the Generic/VpnSettings.xml file which is in the downloaded .zip file from step 11.
- Line 18: Modify the <issuer> setting https://sts.windows.net/TENANTID/. This can Also be found in (see step 8)
- Line 19: Modify the <tenant> setting https://login.microsoftonline.com/TENANTID/. This can Also be found in (see step 8)
- Line 31: Modify the <name> setting. This is the VNET name which is created in step 4. For example: VNET1.
- Line 41: Modify the <fqdn> setting. This value can be found in the AzureVPN/azurevpnconfig.xml file which is in the downloaded .zip file from step 11.
- Line 46: Modify the <hash> setting. This value can be found in the AzureVPN/azurevpnconfig.xml file which is in the downloaded .zip file from step 11.
- Line 50: Modify the <serversecret> setting. This value can be found in the AzureVPN/azurevpnconfig.xml file which is in the downloaded .zip file from step 11.
Save your custom VPN profile as .XML and keep it somewhere safe! 🙂
Deploy VPN profile via Intune / Endpoint Manager
12. Switch to Endpoint Manager / Intune: https://intune.microsoft.com -> Devices -> Create Profile
13. Pick Windows 10 and later as platform and Templates as profile type. Click template name Custom.
14. Give your profile a name
15. Create a new OMA-URI Setting. I’m not sure if spacing is allowed in the fifth section. We have used – within all words. This is the profile name which is shown in the end-user device and Azure VPN client.
- Name: AO VPN Azure AD
- Description: Optional
- OMA-URI: ./User/Vendor/MSFT/VPNv2/Contoso-AO-VPN/ProfileXML
- Data type: String (XML file)
- Custom: XML: Import your VPN Profile XML file created in step 11.
16. Assign the configuration profile to a user group and wait until the profile is deployed.
Endpoint – User Experience
While the Azure VPN Client and VPN profile are deployed into the Endpoints, users will be required to follow the following steps.
17. Authentication with Azure AD (identity provider) is required. Click continue.
18. The VPN connection will now show disconnected. Click Connect.
19. Select the current logged on user account. Accept the MFA request (when CA/MFA is configured). If you don’t get a required MFA response you should have a look into this article. I recommend MFA for this kind of connections/apps.
20. When everything went ok, the connection will establish and stays connected. Keep in mind that the VPN connection will disconnect immediately if your DNS suffix matches the <TrustedNetworkDetection> in your VPN profile. Because of this you should test the Azure VPN connection via 4G/5G or remotely.
Connection monitoring
If your endpoints are connected to the Azure VPN Gateway, they will report their current IP addresses into the Point-to-site configuration dashboard.
This is great, definitely adding this to my arsenal! Would be interested in getting this setup with Azure Certificate authentication also.
I know someone who’s working this concept with certificates. I’ll reply to your comment as soon as his blog is published. Give it a few days.
Hi Daniel,
Here is the blog with certificate authentication. Maybe this is what u are looking for?
Hi Joey,
Do you know how the author achieved the above, unfortunately the blog post above is no longer available.
Any help would be appreciated
I’ve contacted the site owner (know him) but no response yet. Via internet archive you can still find it: http://web.archive.org/web/20230322170200/https://srdn.io/2022/02/how-to-deploy-an-always-on-vpn-to-azure-vpn-gateway-with-conditional-access/
Thanks for the above Joey much appreciated, I actually got the above working on Sunday turns out I missed the below in my XML profile true without it the client did not hand off to AAD to deliver the client cert.
Will compare what I cobbled together against John’s write up.
Best regards
V
true
Really glad this is up and becomes useful to everyone!
Great job!
Many thanks, saved me from the fuss with the config. Microsoft implement normal import, not through one place…
Hello, I have an Azure AD join device and want to use the method above to establish an always on VPN connection during autopilot before the user login. Can this we done?
The reason why I want to establish an automatic vpn connection is so my power shell script runs at logon to map network drives.
No, this is not the correct method. This is a user VPN. You probably need a devicd VPN. This could be done with a NPS server in your backend. Use google for “Azure AD device VPN” and i’m sure you will find something that works.
Hi Joey,
Really appreciate the guide, everything seems to be working as intended. We’d hoped to not be working with DNS-suffixes however, and rather use IP-ranges. Do you think it’s possible to design a VPN-profile that enables autoconnect if connected from an IP not in a set range?
Again, greatly appreciate the work. It has been of great help so far!
I actually don’t know.. I’m sorry. most common is using the dnssufffix.
Hello, right now my configuration communicating with the onprem firewall is as Tunnel type=SSTP (SSL) – Authentication type=Azure Certificate.
Could I add authentication also with Azure AD so that I can enable as per your guide the devices to connect to the VPN? or do I have to change the Tunnel type=OpenVPN SSL?
I would not want to go and change configurations, but implement as per your guide the ability to use Azure Ad as the authentication method (for clients) while for the firewall leave Azure Certificate.
Hi Michele,
Are you sure this guide is what you are looking for? Looks like you are trying to setup a site 2 site VPN from on-prem to azure?
This guide is ment for point to site from a windows device to Azure directly.
I’m I missing something here, I don’t see where always-on is specified. The user has to manually connect.
Hi Matt,
That is not true. Connecting is done automatically based on the DNSSuffix. If it does not match the DNS Suffix in the on-prem/office infrastructure it will connect. Otherwise, it won’t assuming it can reach resources via the internal infrastructure.
Hello Joey,
Thank you so much for this guide, it works well. I have an issue however i hope you can help me with it.
The VPN connects well the first time, and i can try to disconnect it from the Azure client and it reconnects after a few seconds. But when i disconnect the VPN from the builtin VPN software in Windows (from the taskbar in the bottom right), it never auto-connects after that and i have to manually connect the VPN on the said device. Did you encounter this?
I’m not aware of this. Have not tested this.