Point-to-site VPN authentication support for Azure AD
Instead of only requiring on a certificate for authentication in Azure VPN Point-to-site solutions, it would be nice if the Azure networking team would consider adding support for username (UPN) and password that is authenticated against either Azure AD or ADFS.
We are working on adding native AAD support, stay tuned for release dates.
I tested the AAD integration and it works greate! Thanks for the implementation!
How can we enforce that only domain joined devices are used for the VPN connection with AAD? Is there any possibility to do this in combination with intunes, SCCM, or a device certificate?
We would like to avoid that a user is installing the VPN tunnel on a private device.
Norbert Wellinger commented
Native Azure Active Directory authentication support in point-to-site VPN without OpenVPN
Great to have Azure AD authentication with MFA now with the Azure VPN Client (Preview). It works well (on Windows 10).
However, the current client is an UWP app, only available from the store, and can't be installed on WIndows server (why?).
Is there (going to be) a client for Windows Server 2016 / 2019 as well?
James Sampson commented
Excited to see that this is nearing implementation!
Eric LR commented
Almost 2 years and nothing happens. We are still using the ****** certificate mechanism and the Radius AAD auth option is not even possible.
Adon Metcalfe commented
FYI this would also be useful for our employees (2000+)
Gurpreet Singh commented
It is reliable way to connect users over VPN and Dual Authentication mode need to connect VPN. i.e. OTP over phone or email
This is critical, frankly. We've got dozens of remote users who need point-to-site connections, and it's utterly unscalable to use the existing certificate-based approach. It's frankly so difficult to do something simple, like revoke a user's certificate, that whatever the theoretical advantages to certificate-based authentication, in practice it's awful - you should assume that anybody who gets a certificate has access forever.
James D commented
Really love this idea. As an organisation (50 users) we would prefer to endpoint our remote worker VPN's into our Virtual Network in Azure so that we can rely less on our on premises infrastructure. Currently we are using an OpenVPN server on premises, connectivity to Azure resources are provided by the Site to Site VPN, so that part of the puzzle is in place anyway.
What I'd like to see is that each client uses the same certificate as the first form of auth and the second is username and password which authenticates against either a Domain Controller (AD) or Azure Active Directory. Managing Certificates on a per user basis is not scale-able for us so we can't use the Point to Site VPN service as is today.