Azure Always on VPN - using Conditional Access VPN Connectivity

Azure Always on VPN - using Conditional Access VPN Connectivity

Adam Nichols

So Some time back I was asked by a friend if a Always on VPN was possible using azure but not having a CA or Certificate Authority, and well Azure and Entra have everything we need built in, so I came up with this article, hope it makes your life easier!

So first we generate a VPN Cert in the Conditional Access portal under VPN connectivity, you have the option of selecting length of Cert, best of make a calendar reminder to renew your cert a month before it expires

Download the Base 64 cert and save it for when we build the Point to Site VPN profile.

Head over to the Point to Site configuration on your Virtual Network Gateway click the configure..

    1. Provide Designated Address Pool (This should be unique and will be the pool of Ips assigned to VPN clients)

    2. Choose IKEv2 for Tunnel Type

    3. For Authentication type, Azure certificate

    4. Assign Public IP or Create a new one

    5. Under Root Cert provide a name and user the Cert Key excluding the beginning and end

    6. Be sure to define the additional routes which outside the local subnet

    7. Click save this process will take about 15 or so for the VPN to initiate

    8. Once complete be sure to Download the VPN Client we will need the config

Copy the section below and past into public certificate data

Next we will build the Intune VPN Profile

  1. First Select User VPN (User VPN is only supported)

  2. And IKEv2 (Native Type) for Connection type

  3. Provide a Connection name (This will be visible in Network Connection)

  4. Under Server Address we need the Unique Server address for our Point to Site VPN this can be pulled from the VPN Client you downloaded earlier in the General folder, it's in the VPNSettings.xml

  5. Be sure to enable Always On and Remember credentials at each logon

  6. For Auth Type we want EAP and EAP XML we are going to grab the config below

<EapHostConfig xmlns="http://www.microsoft.com/provisioning/EapHostConfig"><EapMethod><Type xmlns="http://www.microsoft.com/provisioning/EapCommon">13</Type><VendorId xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorId><VendorType xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorType><AuthorId xmlns="http://www.microsoft.com/provisioning/EapCommon">0</AuthorId></EapMethod><Config xmlns="http://www.microsoft.com/provisioning/EapHostConfig"><Eap xmlns="http://www.microsoft.com/provisioning/BaseEapConnectionPropertiesV1"><Type>13</Type><EapType xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV1"><CredentialsSource><CertificateStore><SimpleCertSelection>true</SimpleCertSelection></CertificateStore></CredentialsSource><ServerValidation><DisableUserPromptForServerValidation>false</DisableUserPromptForServerValidation><ServerNames></ServerNames></ServerValidation><DifferentUsername>false</DifferentUsername><PerformServerValidation xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2">false</PerformServerValidation><AcceptServerName xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2">false</AcceptServerName><TLSExtensions xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2"><FilteringInfo xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV3"><EKUMapping><EKUMap><EKUName>AAD Conditional Access</EKUName><EKUOID>1.3.6.1.4.1.311.87</EKUOID></EKUMap></EKUMapping><ClientAuthEKUList Enabled="true"><EKUMapInList><EKUName>AAD Conditional Access</EKUName></EKUMapInList></ClientAuthEKUList></FilteringInfo></TLSExtensions></EapType></Eap></Config></EapHostConfig>

 

https://gist.githubusercontent.com/jseerden/c0eac3502ebae03c793e227fa5cc40d9/raw/4b02f1fbb3a8286354b7b49fbf6a166f5c3ba496/AOVPN%2520EAP%2520XML%2520with%2520Conditional%2520Access.txt

Next under Conditional Access select Enable

Next if needed configure Split tunnel with enable and add prefixes which you need included in the VPN Tunnel

Lastly select Review and Save, target to a Azure AD Groups with necessary user.

This profile will sync to the device and should auto configure and connect at logon. No Client is required. 

Reference Links:

Configure conditional access for VPN connectivity using Azure AD | Microsoft Learn

https://gist.githubusercontent.com/jseerden/c0eac3502ebae03c793e227fa5cc40d9/raw/4b02f1fbb3a8286354b7b49fbf6a166f5c3ba496/AOVPN%2520EAP%2520XML%2520with%2520Conditional%2520Access.txt

https://learn.microsoft.com/en-us/azure/vpn-gateway/tutorial-site-to-site-portal

Windows Autopatch Customize Windows Update settings!

Windows Autopatch Customize Windows Update settings!

Related Posts