Implement (Always On) Azure VPN Gateway, Deploy Azure VPN Client and VPN profile via Intune

It was Q4 2020 when I was asked to design a new Modern Workspace concept. The customer had no on-premises hardware/resources and wanted us to migrate everything into Azure. Because of the services they where using, a VPN connection to Azure was then required. Different options passed trough my mind but I decided to go for Azure Virtual Network Gateway. I really wanted this because the Azure AD identity provider support for authentication.

The endpoints are Azure AD joined, deployed via Autopilot and managed by Intune. We picked Azure VPN client for the connection and deployed a VPN profile in it via Endpoint Manager (Intune). Are u curious how it’s done? Continue reading!

Note: Most settings are default cause these are good enough for this demo and/or regular organizations. Depending on the bandwidth, total connections and/or speed requirements these settings can be different.

Create Virtual Network Gateway

  1. Create a resource group in Azure and click Create.
Create resource

2. Search for Virtual network gateway, click Create.

Create virtual network gateway

Creating the virtual network gateway is straight forward. The Basic SKU would be good enough but in this case I picked VpnGW1. Different SKU’s are available but pricing increases every step. A quick view on pricing can be found here.

Note: OpenVPN is not available in the Basic SKU!

3. Create virtual network gateway

Create virtual network gateway

I assume that there’s no Virtual Network available yet and thus we create one via the Virtual Network Gateway creation wizard. For this demo the default address space and subnet is fine.

4. Create virtual network

Create virtual network

5. Continue creating the virtual network gateway. Click Review + create to continue.

Create virtual network gateway

Here’s a quick summary of the VPN Gateway I’m creating and using for this demo. Click Create and wait until the VPN Gateway is deployed.

Summary

Note: I’ve seen deployments which took over 45 minutes to complete. I’m not 100 percent sure but if I remember right, this had something to do with registering a new public IP. If u have a public IP already this could be way faster. In my case it took 35 minutes to complete.

Deployment progress

Azure VPN Enterprise App

First, we have to enable Azure AD Authentication to this Azure VPN Gateway. Therefor we have to add a specific Enterprise App and grant consent to it. Therefor u have to open one of the following URL’s which is depending on the current type of tenant you are using.

Public: https://login.microsoftonline.com/common/oauth2/authorize?client_id=41b23e61-6c1e-4545-b367-cd054e0ed4b4&response_type=code&redirect_uri=https://portal.azure.com&nonce=1234&prompt=admin_consent

Azure Gov: https://login.microsoftonline.us/common/oauth2/authorize?client_id=51bb15d4-3a4f-4ebf-9dca-40096fe32426&response_type=code&redirect_uri=https://portal.azure.us&nonce=1234&prompt=admin_consent

Azure Germany: https://login-us.microsoftonline.de/common/oauth2/authorize?client_id=538ee9e6-310a-468d-afef-ea97365856a9&response_type=code&redirect_uri=https://portal.microsoftazure.de&nonce=1234&prompt=admin_consent

Azure China: https://login.chinacloudapi.cn/common/oauth2/authorize?client_id=49f817b6-84ae-4cc0-928c-73f27289b3aa&response_type=code&redirect_uri=https://portal.azure.cn&nonce=1234&prompt=admin_consent

6. Open the URL which belongs to your type of tenant and logon with a Global Admin account. Accept the requested permissions.

Azure VPN permissions

Once accepted, you should see the following Enterprise App in the Azure portal. Copy the application ID (41b23e61-6c1e-4545-b367-cd054e0ed4b4), we need this in the following step!

Azure VPN Enterprise App

Point-to-site configuration

7. Open your your Virtual Network Gateway -> Point-to-site configuration -> Configure now

Point-to-site configuration

8. Configure the following settings.

  1. Address pool: The client VPN connections are receiving an IP in this range.
  2. Tunnel type: OpenVPN (SSL)
  3. Authentication type: Azure Active Directory
  4. Tenant: https://login.microsoftonline.com/9b508669-d87d-****-****-**********/ (Tenant ID)
  5. Audience: 41b23e61-6c1e-4545-b367-cd054e0ed4b4 (Enterprise App ID from step before)
  6. Issuer: https://sts.windows.net/9b508669-d87d-****-****-**********/ (Tenant ID)
Point-to-site configuration

Deploy the Azure VPN client via Intune / Endpoint Manager

9. Switch to Endpoint Manager / Intune: https://intune.microsoft.com. Add the Azure VPN client which can be found in the new Microsoft Store. Click Add -> Select Microsoft Store app (new).

Search for the Azure VPN Client App.

Click Next and assign the application for all devices or a specific group.

Prepare VPN Profile config

The VPN profile is a XML file with specific settings. This XML file is being deployed via Intune. Before we can deploy the XML we have to configure it. I’ll share a custom XML file below which needs to be modified! Read the steps below carefully!

10. Download the VPN Client and unpack the .zip file

11. Grab my Example VPN Profile from my Github and make the following modifications:

  • Line 5: Modify the <TrustedNetworkDetection> setting to the DNS suffix, your DHCP server is sending out to your clients. This will be used to determine if a device is connected to the internal network or external. For example: contoso.local.
  • Line 9: Modify the <ServerUrlList> setting. This value can be found in the Generic/VpnSettings.xml file which is in the downloaded .zip file from step 11.
  • Line 18: Modify the <issuer> setting https://sts.windows.net/TENANTID/. This can Also be found in (see step 8)
  • Line 19: Modify the <tenant> setting https://login.microsoftonline.com/TENANTID/. This can Also be found in (see step 8)
  • Line 31: Modify the <name> setting. This is the VNET name which is created in step 4. For example: VNET1.
  • Line 41: Modify the <fqdn> setting. This value can be found in the AzureVPN/azurevpnconfig.xml file which is in the downloaded .zip file from step 11.
  • Line 46: Modify the <hash> setting. This value can be found in the AzureVPN/azurevpnconfig.xml file which is in the downloaded .zip file from step 11.
  • Line 50: Modify the <serversecret> setting. This value can be found in the AzureVPN/azurevpnconfig.xml file which is in the downloaded .zip file from step 11.

Save your custom VPN profile as .XML and keep it somewhere safe! 🙂

Deploy VPN profile via Intune / Endpoint Manager

12. Switch to Endpoint Manager / Intune: https://intune.microsoft.com -> Devices -> Create Profile

Create profile

13. Pick Windows 10 and later as platform and Templates as profile type. Click template name Custom.

Custom profile

14. Give your profile a name

Configuration profile

15. Create a new OMA-URI Setting. I’m not sure if spacing is allowed in the fifth section. We have used – within all words. This is the profile name which is shown in the end-user device and Azure VPN client.

  • Name: AO VPN Azure AD
  • Description: Optional
  • OMA-URI: ./User/Vendor/MSFT/VPNv2/Contoso-AO-VPN/ProfileXML
  • Data type: String (XML file)
  • Custom: XML: Import your VPN Profile XML file created in step 11.

16. Assign the configuration profile to a user group and wait until the profile is deployed.

Endpoint – User Experience

While the Azure VPN Client and VPN profile are deployed into the Endpoints, users will be required to follow the following steps.

17. Authentication with Azure AD (identity provider) is required. Click continue.

Azure VPN Client

18. The VPN connection will now show disconnected. Click Connect.

Azure VPN Client

19. Select the current logged on user account. Accept the MFA request (when CA/MFA is configured). If you don’t get a required MFA response you should have a look into this article. I recommend MFA for this kind of connections/apps.

Accept MFA

20. When everything went ok, the connection will establish and stays connected. Keep in mind that the VPN connection will disconnect immediately if your DNS suffix matches the <TrustedNetworkDetection> in your VPN profile. Because of this you should test the Azure VPN connection via 4G/5G or remotely.

Azure VPN Client

Connection monitoring

If your endpoints are connected to the Azure VPN Gateway, they will report their current IP addresses into the Point-to-site configuration dashboard.

Connection monitoring

Related Posts

19 thoughts on “Implement (Always On) Azure VPN Gateway, Deploy Azure VPN Client and VPN profile via Intune

      1. Hi Joey,

        Do you know how the author achieved the above, unfortunately the blog post above is no longer available.

        Any help would be appreciated

          1. Thanks for the above Joey much appreciated, I actually got the above working on Sunday turns out I missed the below in my XML profile true without it the client did not hand off to AAD to deliver the client cert.

            Will compare what I cobbled together against John’s write up.

            Best regards

            V

  1. Many thanks, saved me from the fuss with the config. Microsoft implement normal import, not through one place…

  2. Hello, I have an Azure AD join device and want to use the method above to establish an always on VPN connection during autopilot before the user login. Can this we done?

    The reason why I want to establish an automatic vpn connection is so my power shell script runs at logon to map network drives.

    1. No, this is not the correct method. This is a user VPN. You probably need a devicd VPN. This could be done with a NPS server in your backend. Use google for “Azure AD device VPN” and i’m sure you will find something that works.

  3. Hi Joey,

    Really appreciate the guide, everything seems to be working as intended. We’d hoped to not be working with DNS-suffixes however, and rather use IP-ranges. Do you think it’s possible to design a VPN-profile that enables autoconnect if connected from an IP not in a set range?

    Again, greatly appreciate the work. It has been of great help so far!

  4. Hello, right now my configuration communicating with the onprem firewall is as Tunnel type=SSTP (SSL) – Authentication type=Azure Certificate.
    Could I add authentication also with Azure AD so that I can enable as per your guide the devices to connect to the VPN? or do I have to change the Tunnel type=OpenVPN SSL?
    I would not want to go and change configurations, but implement as per your guide the ability to use Azure Ad as the authentication method (for clients) while for the firewall leave Azure Certificate.

    1. Hi Michele,

      Are you sure this guide is what you are looking for? Looks like you are trying to setup a site 2 site VPN from on-prem to azure?
      This guide is ment for point to site from a windows device to Azure directly.

    1. Hi Matt,

      That is not true. Connecting is done automatically based on the DNSSuffix. If it does not match the DNS Suffix in the on-prem/office infrastructure it will connect. Otherwise, it won’t assuming it can reach resources via the internal infrastructure.

  5. Hello Joey,

    Thank you so much for this guide, it works well. I have an issue however i hope you can help me with it.

    The VPN connects well the first time, and i can try to disconnect it from the Azure client and it reconnects after a few seconds. But when i disconnect the VPN from the builtin VPN software in Windows (from the taskbar in the bottom right), it never auto-connects after that and i have to manually connect the VPN on the said device. Did you encounter this?

Leave a Reply

Your email address will not be published. Required fields are marked *

four × 2 =