point-to-site-entra-gateway.md

title	Configure P2S VPN gateway for Microsoft Entra ID authentication: Microsoft-registered client
titleSuffix	Azure VPN Gateway
description	Learn how to configure P2S gateway settings and Microsoft Entra ID authentication using Microsoft-registered Azure VPN Client.
author	cherylmc
ms.service	azure-vpn-gateway
ms.topic	how-to
ms.date	02/13/2025
ms.author	cherylmc
ms.custom	linux-related-content sfi-image-nochange

Configure P2S VPN Gateway for Microsoft Entra ID authentication

This article helps you configure your point-to-site (P2S) VPN gateway for Microsoft Entra ID authentication using the new Microsoft-registered Azure VPN Client App ID.

[!INCLUDE About Microsoft-registered app]

Point-to-site workflow

Successfully configuring a P2S connection using Microsoft Entra ID authentication requires a sequence of steps.

This article helps you:

1. Verify your tenant.
2. Configure the VPN gateway with the appropriate required settings.
3. Generate and download the VPN Client configuration package.

The articles in the Next steps section help you:

1. Download the Azure VPN Client on the client computer.
2. Configure the client using the settings from the VPN Client configuration package.
3. Connect.

Prerequisites

This article assumes the following prerequisites:

• A VPN gateway

  • Certain gateway options are incompatible with P2S VPN gateways that use Microsoft Entra ID authentication. The VPN gateway can't use the Basic SKU or a policy-based VPN type. For more information about gateway SKUs, see About gateway SKUs. For more information about VPN types, see VPN Gateway settings.

  • If you don't already have a functioning VPN gateway that's compatible with Microsoft Entra ID authentication, see Create and manage a VPN gateway - Azure portal. Create a compatible VPN gateway, then return to this article to configure P2S settings.

• A Microsoft Entra tenant

  • The steps in this article require a Microsoft Entra tenant. For more information, see Create a new tenant in Microsoft Entra ID.

Add the VPN client address pool

[!INCLUDE Configure a client address pool]

Configure tunnel type and authentication

Important

[!INCLUDE Microsoft Entra ID note for portal pages]

1. Locate the tenant ID of the directory that you want to use for authentication. For help with finding your tenant ID, see How to find your Microsoft Entra tenant ID.

2. Configure tunnel type and authentication values.

   :::image type="content" source="./media/point-to-site-entra-gateway/values.png" alt-text="Screenshot showing settings for Tunnel type, Authentication type, and Microsoft Entra ID settings." lightbox="./media/point-to-site-entra-gateway/values.png":::

   Configure the following values:

   • Address pool: client address pool
   • Tunnel type: OpenVPN (SSL)
   • Authentication type: Microsoft Entra ID

   For Microsoft Entra ID values, use the following guidelines for Tenant, Audience, and Issuer values. Replace {Microsoft ID Entra Tenant ID} with your tenant ID, taking care to remove {} from the examples when you replace this value.

   • Tenant: TenantID for the Microsoft Entra ID tenant. Enter the tenant ID that corresponds to your configuration. Make sure the Tenant URL doesn't have a \ (backslash) at the end. Forward slash is permissible.

     • Azure Public: https://login.microsoftonline.com/{TenantID}
     • Azure Government: https://login.microsoftonline.us/{TenantID}
     • Azure Germany: https://login-us.microsoftonline.de/{TenantID}
     • China 21Vianet: https://login.chinacloudapi.cn/{TenantID}

   • Audience: The corresponding value for the Microsoft-registered Azure VPN Client App ID. Custom audience is also supported for this field.

     • c632b3df-fb67-4d84-bdcf-b95ad541b5c8

   • Issuer: URL of the Secure Token Service. Include a trailing slash at the end of the Issuer value. Otherwise, the connection might fail. Example:

     • https://sts.windows.net/{Microsoft ID Entra Tenant ID}/

3. You don't need to click Grant administrator consent for Azure VPN client application. This link is only for manually registered VPN clients that use the older Audience values. It opens a page in the Azure portal.

4. Once you finish configuring settings, click Save at the top of the page.

Download the VPN client profile configuration package

In this section, you generate and download the Azure VPN client profile configuration package. This package contains the settings that you can use to configure the Azure VPN client profile on client computers.

[!INCLUDE Azure VPN client profile configuration package]

Configure the Azure VPN Client

Next, you examine the profile configuration package, configure the Azure VPN Client for the client computers, and connect to Azure. See the articles listed in the Next steps section.

Next steps

Configure the Azure VPN Client.

• Azure VPN Client for Linux
• Azure VPN Client for Windows
• Azure VPN Client for macOS