Implement (Always On) Azure VPN Gateway, Deploy Azure VPN Client and VPN profile via Intune

It was Q4 2020 when I was asked to design a new Modern Workspace concept. The customer had no on-premises hardware/resources and wanted us to migrate everything into Azure. Because of the services they where using, a VPN connection to Azure was then required. Different options passed trough my mind but I decided to go for Azure Virtual Network Gateway. I really wanted this because the Azure AD identity provider support for authentication.

The endpoints are Azure AD joined, deployed via Autopilot and managed by Intune. We picked Azure VPN client for the connection and deployed a VPN profile in it via Endpoint Manager (Intune). Are u curious how it’s done? Continue reading!

Note: Most settings are default cause these are good enough for this demo and/or regular organizations. Depending on the bandwidth, total connections and/or speed requirements these settings can be different.

Create Virtual Network Gateway

  1. Create a resource group in Azure and click Create.
Create resource

2. Search for Virtual network gateway, click Create.

Create virtual network gateway

Creating the virtual network gateway is straight forward. The Basic SKU would be good enough but in this case I picked VpnGW1. Different SKU’s are available but pricing increases every step. A quick view on pricing can be found here.

Note: OpenVPN is not available in the Basic SKU!

3. Create virtual network gateway

Create virtual network gateway

I assume that there’s no Virtual Network available yet and thus we create one via the Virtual Network Gateway creation wizard. For this demo the default address space and subnet is fine.

4. Create virtual network

Create virtual network

5. Continue creating the virtual network gateway. Click Review + create to continue.

Create virtual network gateway

Here’s a quick summary of the VPN Gateway I’m creating and using for this demo. Click Create and wait until the VPN Gateway is deployed.

Summary

Note: I’ve seen deployments which took over 45 minutes to complete. I’m not 100 percent sure but if I remember right, this had something to do with registering a new public IP. If u have a public IP already this could be way faster. In my case it took 35 minutes to complete.

Deployment progress

Azure VPN Enterprise App

First, we have to enable Azure AD Authentication to this Azure VPN Gateway. Therefor we have to add a specific Enterprise App and grant consent to it. Therefor u have to open one of the following URL’s which is depending on the current type of tenant you are using.

Public: https://login.microsoftonline.com/common/oauth2/authorize?client_id=41b23e61-6c1e-4545-b367-cd054e0ed4b4&response_type=code&redirect_uri=https://portal.azure.com&nonce=1234&prompt=admin_consent

Azure Gov: https://login.microsoftonline.us/common/oauth2/authorize?client_id=51bb15d4-3a4f-4ebf-9dca-40096fe32426&response_type=code&redirect_uri=https://portal.azure.us&nonce=1234&prompt=admin_consent

Azure Germany: https://login-us.microsoftonline.de/common/oauth2/authorize?client_id=538ee9e6-310a-468d-afef-ea97365856a9&response_type=code&redirect_uri=https://portal.microsoftazure.de&nonce=1234&prompt=admin_consent

Azure China: https://login.chinacloudapi.cn/common/oauth2/authorize?client_id=49f817b6-84ae-4cc0-928c-73f27289b3aa&response_type=code&redirect_uri=https://portal.azure.cn&nonce=1234&prompt=admin_consent

6. Open the URL which belongs to your type of tenant and logon with a Global Admin account. Accept the requested permissions.

Azure VPN permissions

Once accepted, you should see the following Enterprise App in the Azure portal. Copy the application ID (41b23e61-6c1e-4545-b367-cd054e0ed4b4), we need this in the following step!

Azure VPN Enterprise App

Point-to-site configuration

7. Open your your Virtual Network Gateway -> Point-to-site configuration -> Configure now

Point-to-site configuration

8. Configure the following settings.

  1. Address pool: The client VPN connections are receiving an IP in this range.
  2. Tunnel type: OpenVPN (SSL)
  3. Authentication type: Azure Active Directory
  4. Tenant: https://login.microsoftonline.com/9b508669-d87d-****-****-**********/ (Tenant ID)
  5. Audience: 41b23e61-6c1e-4545-b367-cd054e0ed4b4 (Enterprise App ID from step before)
  6. Issuer: https://sts.windows.net/9b508669-d87d-****-****-**********/ (Tenant ID)
Point-to-site configuration

Deploy the Azure VPN client via Intune / Endpoint Manager

9. Switch to Endpoint Manager / Intune: https://endpoint.microsoft.com. Add the Azure VPN client which can be found in the Microsoft Store for Business. Make sure the Endpoint Manager / Store for Business integration is configured.

Azure VPN Client

After u requested the app Endpoint Manager / Intune needs some time to be available within the Endpoint Manager Apps list. U can try to speed up the process by forcing a sync.

Store Sync

10. If the Azure VPN Client application is available you should deploy it to your endpoints by group assignments. I recommended to use a device group for this application.

Azure VPN Client

Prepare VPN Profile config

The VPN profile is a XML file with specific settings. This XML file is being deployed via Intune. Before we can deploy the XML we have to configure it. I’ll share a custom XML file below which needs to be modified! Read the steps below carefully!

11. Download the VPN Client and unpack the .zip file

12. Grab my Example VPN Profile from my Github and make the following modifications:

  • Line 5: Modify the <TrustedNetworkDetection> setting to the DNS suffix, your DHCP server is sending out to your clients. This will be used to determine if a device is connected to the internal network or external. For example: contoso.local.
  • Line 9: Modify the <ServerUrlList> setting. This value can be found in the Generic/VpnSettings.xml file which is in the downloaded .zip file from step 11.
  • Line 18: Modify the <issuer> setting https://sts.windows.net/TENANTID/. This can Also be found in (see step 8)
  • Line 19: Modify the <tenant> setting https://login.microsoftonline.com/TENANTID/. This can Also be found in (see step 8)
  • Line 31: Modify the <name> setting. This is the VNET name which is created in step 4. For example: VNET1.
  • Line 41: Modify the <fqdn> setting. This value can be found in the AzureVPN/azurevpnconfig.xml file which is in the downloaded .zip file from step 11.
  • Line 46: Modify the <hash> setting. This value can be found in the AzureVPN/azurevpnconfig.xml file which is in the downloaded .zip file from step 11.
  • Line 50: Modify the <serversecret> setting. This value can be found in the AzureVPN/azurevpnconfig.xml file which is in the downloaded .zip file from step 11.

Save your custom VPN profile as .XML and keep it somewhere safe! 🙂

Deploy VPN profile via Intune / Endpoint Manager

13. Switch to Endpoint Manager / Intune: https://endpoint.microsoft.com -> Devices -> Create Profile

Create profile

14. Pick Windows 10 and later as platform and Templates as profile type. Click template name Custom.

Custom profile

15. Give your profile a name

Configuration profile

16. Create a new OMA-URI Setting. I’m not sure if spacing is allowed in the fifth section. We have used – within all words. This is the profile name which is shown in the end-user device and Azure VPN client.

  • Name: AO VPN Azure AD
  • Description: Optional
  • OMA-URI: ./User/Vendor/MSFT/VPNv2/Contoso-AO-VPN/ProfileXML
  • Data type: String (XML file)
  • Custom: XML: Import your VPN Profile XML file created in step 12.

17. Assign the configuration profile to a user group and wait until the profile is deployed.

Endpoint – User Experience

While the Azure VPN Client and VPN profile are deployed into the Endpoints, users will be required to follow the following steps.

18. Authentication with Azure AD (identity provider) is required. Click continue.

Azure VPN Client

19. The VPN connection will now show disconnected. Click Connect.

Azure VPN Client

20. Select the current logged on user account. Accept the MFA request (when CA/MFA is configured). If you don’t get a required MFA response you should have a look into this article. I recommend MFA for this kind of connections/apps.

Accept MFA

21. When everything went ok, the connection will establish and stays connected. Keep in mind that the VPN connection will disconnect immediately if your DNS suffix matches the <TrustedNetworkDetection> in your VPN profile. Because of this you should test the Azure VPN connection via 4G/5G or remotely.

Azure VPN Client

Connection monitoring

If your endpoints are connected to the Azure VPN Gateway, they will report their current IP addresses into the Point-to-site configuration dashboard.

Connection monitoring

Related Posts

9 thoughts on “Implement (Always On) Azure VPN Gateway, Deploy Azure VPN Client and VPN profile via Intune

  1. Many thanks, saved me from the fuss with the config. Microsoft implement normal import, not through one place…

  2. Hello, I have an Azure AD join device and want to use the method above to establish an always on VPN connection during autopilot before the user login. Can this we done?

    The reason why I want to establish an automatic vpn connection is so my power shell script runs at logon to map network drives.

    1. No, this is not the correct method. This is a user VPN. You probably need a devicd VPN. This could be done with a NPS server in your backend. Use google for “Azure AD device VPN” and i’m sure you will find something that works.

  3. Hi Joey,

    Really appreciate the guide, everything seems to be working as intended. We’d hoped to not be working with DNS-suffixes however, and rather use IP-ranges. Do you think it’s possible to design a VPN-profile that enables autoconnect if connected from an IP not in a set range?

    Again, greatly appreciate the work. It has been of great help so far!

Leave a Reply

Your email address will not be published. Required fields are marked *

five × five =