Provide multi-factor authentication capabilities in VPN client
The ask is pretty self-explanatory.
We want to host sensitive data in Azure VMs and enable connectivity only via P2S VPN.
Today, the VPN client only requires having the cert to gain access the Azure Network. As the cert can easily end up in the hands of someone who shouldn't have access to it...it's not very secure.
For MFA, integration with PhoneFactor would be cool. At a minimum, the VPN client should require a username/password in addition to requiring the cert.
We are working on giving more control over authentication within Point-to-Site connectivity to Azure.
+999! Using your Azure account + MFA in order to connect to the VPN.
If you require MFA for Azure P2S, as a workaround, you can use a Radius server that starts a MFA request. This works with NPS (Active Directory) and the Azure MFA extension, so your users only have to set up MFA for Azure AD. However, you need a verification method that doesn't requires user input (phone call or mobile app notification) as there is no GUI for providing codes.
Jose Sa commented
Currently our Azure P2S VPN users need to use MFA only once to connect. After authenticating for the first time with MFA, they can connect to the VPN using only their userid and password, no need to use the second factor anymore. I think this implementation does not provide independence between authentication factors, as a single set of credentials (Windows userid and password) provides access to the VPN (see scenario 2 on https://www.pcisecuritystandards.org/pdfs/Multi-Factor-Authentication-Guidance-v1.pdf).
Scott Bye commented
MFA needs to be able to be applied to trusted devices. Currently Conditional Access is satisifed due to a valid claim in the token. The problem is the lifetime of that token. In the same way as the Azure Portal requires me to pass MFA for every sign in, so should the VPN. Gaining access to an unlocked laptop, or obtaining someones Windows Hello PIN shouldn't automatically also give them VPN access.
Not having to authenticate is bad enough, but the VPN connections are not recorded in the user sign-ins either (after the initial login).
The new client should be able to be deployed and configured through Intune. Deploying is possible through Windows store integration in Intune, but configuration is manual.
Gurpreet Ahuja commented
Critically required a second method of authentication, once client contract is over he cannot access the production setup on Azure but Point to Site with certificate authentication doesn't have any control to fulfill this requirement.
Any update about this feature?
Keith Furman commented
Looks like this was just announced:
Point-to-Site (P2S) VPN Support for macOS and Active Directory (AD) Authentication
P2S VPN connectivity allows customers to connect to their Azure VNet from anywhere using their Windows machines and now macOS. With Active Directory domain authentication customers can now use their organization’s domain credentials for VPN authentication instead inserting certificates on the client machines. The Azure VPN Gateway integrates with your RADIUS and AD Domain deployment running either in Azure or on-premises. Integrate your RADIUS server with other identity systems for additional authentication options for P2S VPN.
Ralf Todenhagen commented
Flexibibilty in the authentication scheme for VPN access via the client would allow us to implement similar types of authentication for functionally equivalent access (e.g. on prem access requires MFA in our case etc.)
Hannu Piki commented
We as well would like to hear/see status update around this feature. Azure AD integration with MFA would be awesome!
Ken Sykora commented
Would love to see this feature available! Can you post an update on the status of this?
Travis Schilling commented
Definitely agree that Azure AD integration is better than nothing.
Any news on the status of this?
Ahmet Arsan commented
Azure AD dependency would be totally acceptable. Any source for users is better than zero.
Same question as the folks below, any update?
when could we have Azure AD integration with P2S VPN Connection
Hi - is there an update on this?
any version of multi-factor authentication for Azure P2S VPN is desperately needed, we don't care about the dependencies at this point.
Is there an update to Azure AD integration with P2S in the real near future? As stated in the Microsoft Azure HIPPA/HITECH Act to "monitor and log" is currently not obtainable with something "Built in" in AZURE AD. Would be a great addition for those whom need to meet HIPPA compliancy.
Dear Mr. Wang
Though it might be a little outdated, but is the integration of Azure AD with P2S still on the roadmap?
Thanks for your answer.