Azure Point-to-Site VPN with Azure AD Authentication and MFA

by Thomas Bründl

This article has not been completed yet. However, it may already contain helpful Information and therefore it has been published at this stage.

Deploy VPN - Gateway:

Grant Admin Consent :

https://login.microsoftonline.com/common/oauth2/authorize?client_id=41b23e61-6c1e-4545-b367-cd054e0ed4b4&response_type=code&redirect_uri=https://portal.azure.com&nonce=1234&prompt=admin_consent

Link

Retrieving the Tenant ID:

Store the tenant ID temporarily. We will need it again later.

Setting Up the P2S - Configuration:

https://login.microsoftonline.com/<Tenant_ID>
41b23e61-6c1e-4545-b367-cd054e0ed4b4

https://sts.windows.net/<Tenant_ID>/

Configure Client:

https://apps.microsoft.com/store/detail/9NP355QT2SQB?hl=en-us&gl=US

Setting Up MFA:

The Result:

Additional Note:


In order to ensure that the name resolution works over the P2S connection, the Onprem DNS servers must be defined in the VNet where the Azure VPN gateway has been deployed.

References:

Azure AD tenant for User VPN connections: Azure AD authentication -OpenVPN - Azure Virtual WAN
You can use Azure Virtual WAN User VPN (point-to-site) to connect to your VNet using Azure AD authentication
cherylmcMicrosoft Learn

Youtube-Link