Azure VPN Client - Entra Authentication - Disconnecting every hour again

TonyLessard 111

We have had this issue come up repeatedly over the last couple years, and this is the pattern: A particular verison of the Azure VPN client will be released that has issues with disconnecting every hour. After a little while there is an updated version that fixes it. This happened last with, if I recall correctly, version 3.4.0.0. 3.4.1.0 fixed the issue. Prior to that it was 3.1.2.0 or something with the issue and the next version fixed it. Now we just had 4.0.0.0 pushed from Microsoft Store and we have the same issue with disconnecting every hour. When this happened last time I spent hours testing different token timeouts with Conditional Access Policies mentioned in the troubleshooting article with no effect. The only thing that worked was the fixed version. When does version 4.0.1.0 come out?

Rohith Vinnakota 2,720 Reputation points Microsoft Vendor

2025-02-18T23:04:49.35+00:00

Hi @TonyLessard,

Greetings!

Could you please try to downgrade the VPN client to version 3.3.1.0 and see if that helps?

Here is the download link for VPN client version 3.3.1.0:
https://aka.ms/azvpnclientdownload

I have requested some additional details in the private message here. It will help could you provide the details.
Srikanth Sangani 0 Reputation points Microsoft Employee

2025-02-19T05:33:16.34+00:00

Thank you for your feedback.

The hourly disconnection of the Azure VPN client is likely due to the expiration of the refresh token acquired from Entra ID, which is renewed approximately every hour. To address this, Entra tenant administrators can extend the sign-in frequency by adding conditional access policies. Please collaborate with your Entra tenant administrators to extend the refresh token expiration interval.

For more details, please refer to the documentation: Azure VPN Gateway FAQ | Microsoft Learn

If the conditional access policies should not resolve the issue, you can open a ticket or you share the Azure VPN logs through Feedback Hub.

Report an Azure VPN Client problem via Feedback Hub | Microsoft Learn
TonyLessard 111 Reputation points

2025-02-19T15:21:54.59+00:00

@Rohith Vinnakota I downgraded to version 3.3.1.0 and have been connected for over an hour with no disconnection/reauthentication needed.

@Srikanth Sangani The conditional access policy referenced in the link you shared is what I had previously tested unsuccessfully when this issue happened with version 3.4.0.0. Version 3.4.1.0 (or whatever the next version was) fixed the issue without changes to the conditional access policies in my environment, which I had set back to pre-troubleshooting configuration. So, unless 3.4.1.0 rolled back a change to the authentication process that was introduced in 3.4.0.0, it doesn't seem like updating the CA policy will have any effect.

Thanks
TonyLessard 111 Reputation points

2025-02-19T15:30:11.6266667+00:00

@Rohith Vinnakota I downgraded to version 3.3.1.0 and have been connected for over an hour with no disconnection/reauthentication needed.

@Srikanth Sangani The conditional access policy changes to the refresh token lifetime referenced in the link you shared is what I had previously tried, unsuccessfully, when this same issue happened with version 3.4.0.0. Version 3.4.1.0 (or whatever the next version was) resolved the issue with no changes to the CA policy, which I had reverted back to their pre-troubleshooting values. So, unless 3.4.1.0 reverted a change in the overall authentication process back to the pre-3.4.0.0 functionality, it doesn't seem like modifying the CA will have a positive effect.

thanks - Tony
Rohith Vinnakota 2,720 Reputation points Microsoft Vendor

2025-02-19T20:20:02.2033333+00:00

Hi @TonyLessard,

Glad to know downgrading the Client version helped. We currently going through the logs and we will get back on that.

1 answer

Srikanth Sangani 0 Reputation points Microsoft Employee

2025-02-20T07:28:34+00:00

Hey @TonyLessard , you are right in 3.4.1.0 version we have reverted the change we have added in the rekey authentication process, that's the reason why when you have moved to 3.4.1.0 you didn't see any issue despite of not change the CA policy. And in 4.0.0.0 version we have again added this rekey authentication change with an enhancement. That's where now 4.0.0.0 version will honour the CA policy .

So you have to change the sign-in frequency on your Microsoft Entra for Azure VPN client application to get rid of hourly disconnect.
Please sign in to rate this answer.
TonyLessard 111 Reputation points

2025-02-20T19:20:00.9633333+00:00

OK @Srikanth Sangani I will give that a try and will report back, likely next week.
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

Azure VPN Client - Entra Authentication - Disconnecting every hour again

1 answer

Your answer