| title | Create custom app ID for P2S VPN Microsoft Entra ID authentication |
|---|---|
| titleSuffix | Azure VPN Gateway |
| description | Learn how to create or modify a custom audience App ID or upgrade an existing custom App ID to the new Microsoft-registered Azure VPN Client app values. |
| author | cherylmc |
| ms.service | azure-vpn-gateway |
| ms.topic | concept-article |
| ms.date | 02/27/2025 |
| ms.author | cherylmc |
The steps in this article help you create a Microsoft Entra ID custom App ID (custom audience) for the new Microsoft-registered Azure VPN Client for point-to-site (P2S) connections. You can also update your existing tenant to change the new Microsoft-registered Azure VPN Client app from the previous Azure VPN Client app.
When you configure a custom audience app ID, you can use any of the supported values associated with the Azure VPN Client app. We recommend that you associate the Microsoft-registered App ID Azure Public audience value c632b3df-fb67-4d84-bdcf-b95ad541b5c8 to your custom app when possible. For the full list of supported values, see P2S VPN - Microsoft Entra ID.
This article provides high-level steps. The screenshots to register an application might be slightly different, depending on the way you access the user interface, but the settings are the same. For more information, see Quickstart: Register an application. For more information about Microsoft Entra ID authentication for P2S, see Microsoft Entra ID authentication for P2S.
If you're configuring a custom audience app ID in order to configure or restrict access based on users and groups, see Scenario: Configure P2S access based on users and groups - Microsoft Entra ID authentication. The scenario article outlines the workflow and steps to assign permissions.
-
This article assumes that you already have a Microsoft Entra tenant and the permissions to create an Enterprise Application, typically the Cloud Application Administrator role or higher. For more information, see Create a new tenant in Microsoft Entra ID and Assign user roles with Microsoft Entra ID.
-
This article assumes that you're using the Microsoft-registered App ID Azure Public audience value
c632b3df-fb67-4d84-bdcf-b95ad541b5c8to configure your custom app. This value has global consent, which means you don't need to manually register it to provide consent for your organization. We recommend that you use this value. -
If you need to use a manually registered app ID value instead, you must give consent to allow the app to sign in and read user profiles before proceeding with this configuration. You must sign in with an account that's assigned the Cloud Application Administrator role.
-
To grant admin consent for your organization, modify the following command to contain the desired
client_idvalue. In the example, the client_id value is for Azure Public. See the table for additional supported values.https://login.microsoftonline.com/common/oauth2/authorize?client_id=41b23e61-6c1e-4545-b367-cd054e0ed4b4&response_type=code&redirect_uri=https://portal.azure.com&nonce=1234&prompt=admin_consent -
Copy and paste the URL that pertains to your deployment location in the address bar of your browser.
-
Select the account that has the Cloud Application Administrator role if prompted.
-
On the Permissions requested page, select Accept.
-
[!INCLUDE Configure custom audience]
After you've completed the steps in the previous sections, continue to Configure P2S VPN Gateway for Microsoft Entra ID authentication – Microsoft-registered app.
Note
These steps can be used for any of the supported values associated with the Azure VPN Client app. We recommend that you associate the Microsoft-registered App ID Azure Public audience value c632b3df-fb67-4d84-bdcf-b95ad541b5c8 to your custom app when possible.
[!INCLUDE Change custom audience]
- Configure P2S VPN Gateway for Microsoft Entra ID authentication – Microsoft-registered app.
- To connect to your virtual network, you must configure the Azure VPN client on your client computers. See Configure a VPN client for P2S VPN connections.
- For frequently asked questions, see the Point-to-site section of the VPN Gateway FAQ.