Share via

How to implement Azure VPN Gateway Point-to-Site with Entra ID authentication, MFA-and group-based access without AD sync?

Paul 20 Reputation points
2025-11-20T18:58:39.6266667+00:00

Problem Statement

I have received a client requirement for a Point-to-Site VPN in Azure, subject to the following conditions:

Authentication: Users are required to authenticate using Microsoft Entra ID accounts, with no synchronization from Active Directory.

Multi-Factor Authentication (MFA): MFA enforcement is mandatory.

Authorization: Group-based access control is required, necessitating distinct IP pools or network segmentation for different user groups.

Environment Details:

The Active Directory Domain Services (ADDS) domain, "**example.com**", is hosted on Azure IaaS and is not synchronized with Entra ID.

Applications will continue to utilize ADDS for authentication.

There will be no Site-to-Site VPN connectivity.

DNS for ADDS is restricted to internal access only.

User Identities: Users will maintain two distinct identities:

**Entra ID**: Used for VPN login and MFA.

**ADDS**: Used for application access.

Question 1. How can we configure Azure VPN Gateway for OpenVPN + Entra ID authentication and enforce MFA via Conditional Access?

2. What is the recommended way to implement group-based segmentation for VPN users (e.g. different IP pools for VPN-Users and VPN-Admins)?

Azure VPN Gateway
Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Q&A Assist
    2025-11-20T19:00:12.6733333+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    To implement Azure VPN Gateway Point-to-Site with Microsoft Entra ID authentication, enforce Multi-Factor Authentication (MFA), and set up group-based access without Active Directory synchronization, follow these steps:

    1. Configure Azure VPN Gateway for OpenVPN + Entra ID Authentication:
      • Ensure that your P2S VPN gateway is set up to use Microsoft Entra ID for authentication. This can be done by enabling Microsoft Entra ID authentication on the P2S gateway and configuring the necessary settings (like client address pool).
      • Use the Azure VPN Client for connecting, as it supports Microsoft Entra ID authentication. This setup allows users to authenticate using their Entra ID credentials.
    2. Enforce MFA via Conditional Access:
      • Set up Conditional Access policies in the Microsoft Entra admin center to require MFA for users connecting through the Azure VPN Client. You can create a new policy that targets the Azure VPN Client app and requires MFA during the sign-in process. This ensures that every time a user attempts to connect to the VPN, they must complete the MFA challenge.
      • For detailed steps, refer to the tutorial on enabling Azure MFA with Conditional Access policies.
    3. Implement Group-Based Segmentation for VPN Users:
      • To achieve group-based access control, configure distinct IP address pools for different user groups (e.g., VPN-Users and VPN-Admins). This can be done by defining multiple address pools in the VPN gateway configuration and associating them with specific user groups.
      • Ensure that the Conditional Access policy is set to apply to the specific groups you want to segment. This way, users in different groups will receive different IP addresses based on their group membership when they connect to the VPN.

    By following these steps, you can effectively configure Azure VPN Gateway to meet the requirements of your client while ensuring secure access through Microsoft Entra ID and MFA.

    0 comments
  2. Jeevan Shanigarapu 3,355 Reputation points Microsoft External Staff Moderator
    2025-11-20T23:06:08.3666667+00:00

    Hello @Paul,

    Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

    I understand your question regarding the implementation of Azure VPN Gateway Point-to-Site with Entra ID authentication, including MFA and group-based access, without AD synchronization.

    Configure Azure VPN Gateway for OpenVPN + Entra ID Authentication with MFA

    1. Protocol & Client: Use OpenVPN protocol with the Azure VPN Client.
    2. Configure the VPN Gateway in the Azure portal for Microsoft Entra ID authentication.
    3. Use the Microsoft-registered App ID and Audience values (avoid manual app registration for security and simplicity).
    4. Download and distribute the VPN client profile to users for Azure VPN Client configuration.
    5. Create Conditional Access policies targeting the Azure VPN Client app and relevant user groups.
    6. Require Multi-Factor Authentication at sign-in for VPN access.

    References:

    Configure a P2S VPN - Microsoft Entra ID authentication - manually registered Azure VPN Client App ID - Azure VPN Gateway | Microsoft Learn

    Implement Group-Based Segmentation for VPN Users

    1. Create groups such as VPN-Users and VPN-Admins in Microsoft Entra ID.
    2. Assign distinct IP address pools to each group in the VPN Gateway configuration.
    3. If a user belongs to multiple groups, the gateway assigns the IP from the highest priority group.
    4. For stricter segmentation, consider multiple P2S VPN gateways or Network Virtual Appliances (NVAs).
    5. Ensure external users are set as Members, not Guests, to avoid default IP pool assignment.

    Reference:

    About User Groups and IP Address Pools for Point-to-Site Connections - Azure VPN Gateway | Microsoft Learn

    Configure P2S access based on users and groups - Microsoft Entra ID authentication - Azure VPN Gateway | Microsoft Learn

    If the issue still persists, please leave a comment below, I will respond to you.

    Please "Accept the Answer" if the information helped you. This will help us and others in the community as well.

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.