As part of the announcements from Ignite, Microsoft now released a public preview of the native Azure AD authentication on VPN Gateway. Up until now it has been either that you use a certificate based authentication or using RADIUS. Which has been a difficult sell since many VPN 3.party providers do pretty well the authentication part.
What do I need to set it up?
To set this up you first need to have an active subscription and gateway that you can configure this on. The existing Gateway that you have needs to have P2S enabled, using OpenSSL and just Azure Certificate based authentication, which you then will use to configure Azure AD authentication on. NOTE: Azure AD Authentication is only working for Windows 10 clients.
Now you need to following information:
1: Subscription ID
2: Azure AD Tenant ID
3: Name of the VPN Gateway
4: Resource Group name of the tenant
First is you need to give constent to authorize the VPN client this adds an app registration to your Azure AD Client.
1: Constent to the application:
https://login.microsoftonline.com/common/oauth2/authorize?client_id=41b23e61-6c1e-4545-b367-cd054e0ed4b4&response_type=code&redirect_uri=https://portal.azure.com&nonce=1234&prompt=admin_consent
2: Apply the VPN Configuration:
$gw = Get-AzVirtualNetworkGateway -Name <name of VPN gateway> -ResourceGroupName <Resource group>
Set-AzVirtualNetworkGateway -VirtualNetworkGateway $gw -AadTenantUri “https://login.microsoftonline.com/<your Directory ID>” -AadAudienceId “41b23e61-6c1e-4545-b367-cd054e0ed4b4” -AadIssuerUri “https://sts.windows.net/<your Directory ID>/”
3: Create the VPN Configuration:
$profile = New-AzVpnClientConfiguration -ResourceGroupName AADAuth -Name AADauthGW -AuthenticationMethod “EapTls”
$PROFILE.VpnProfileSASUrl
This will create an URL which you can use to download the VPN Profile, which contains an XML file, which you are going to use to in the client.
-<aad> <audience>xxxxx-xxxxx-xxxx-xxxxx</audience> <cachesigninuser>true</cachesigninuser> <issuer>https://sts.windows.net/4927218b-dc7d-421f-a412-fe356b413d59/</issuer> <tenant>https://login.microsoftonline.com/xxxxx-xxxxx-xxxxx-xxxx-xxxx-</tenant> </aad> <cert i:nil="true"/> <type>aad</type> <usernamepass i:nil="true"/>
You can download the client from here –> https://www.microsoft.com/en-us/p/azure-vpn-client-preview/9np355qt2sqb?SilentAuth=1&wa=wsignin1.0&activetab=pivot:overviewtab (This is essentially a UI Wrapper on top of OpenVPN that handles the Azure AD authentication)
Once you’ve installed the client. You need to import the configuration file that you downloaded earlier within the UI
Then all the fields will get pre filled with the information from the configuration file.
Then you can just authenticate with the client.
Setting up Conditional Access Rules for Azure VPN
Using Native Azure AD based authentication, this means that you can use Conditional Access to block and allow access to the service and have a more granular way to handle authentication as well. To allow for a zero-trust model based access.
To create this you basically just need to apply policies for the VPN application, which will be generated as part of the setup. Such as applying MFA and other Conditions that you might want to have in place for each users.
So with this now you don’t need a third party VPN solution to enable zero-trust access to your Azure virtual enviroment which help to provide secure access to enviroments.