Edit

Share via

Migrate a manually registered Azure VPN Client to the Microsoft-registered client

  • Article

This article helps you migrate from a manually registered Azure VPN Client to the Microsoft-registered Azure VPN Client for a User VPN (P2S) connection with Microsoft Entra ID authentication. The Microsoft-registered Azure VPN client uses a different Audience value. When you update an Audience value, you must make the change on both the P2S VPN gateway, and on any previously configured VPN clients. For more information about Audience values, see the Microsoft-registered app article. This article doesn't apply to custom Audience value configurations. To modify a custom audience app ID, see Create or modify a custom audience app ID.

The following table shows the available supported Audience values.

App ID Supported Audience values Supported clients
Microsoft-registered The audience value c632b3df-fb67-4d84-bdcf-b95ad541b5c8 applies to:
- Azure Public
- Azure Government
- Azure Germany
- Microsoft Azure operated by 21Vianet		 - Linux
- Windows
- macOS
Manually registered - Azure Public: 41b23e61-6c1e-4545-b367-cd054e0ed4b4
- Azure Government: 51bb15d4-3a4f-4ebf-9dca-40096fe32426
- Azure Germany: 538ee9e6-310a-468d-afef-ea97365856a9
- Microsoft Azure operated by 21Vianet: 49f817b6-84ae-4cc0-928c-73f27289b3aa		 - Windows
- macOS
Custom <custom-app-id> - Linux
- Windows
- macOS

Workflow

The standard workflow is:

  1. Update Virtual WAN P2S gateway settings.
  2. Generate and download new VPN client configuration files.
  3. Update the VPN client either by importing the client configuration package, or (optionally) updating the settings on the already configured VPN client.
  4. Remove the old Azure VPN Client from the tenant. This step isn't required in order to make a P2S connection using the new Audience value, but it's good practice.

Update P2S gateway settings

When you update audience values on an existing gateway, you incur fewer than 5 minutes of downtime.

  1. In the portal, go to your Virtual WAN resource. In the left pane, select User VPN configurations.

  2. On the User VPN configurations page, select the configuration, then click Edit configuration.

  3. On the Edit configuration page, go to the Azure Active Directory page, which is used to configure the Microsoft Entra ID values. Change the Audience value to: c632b3df-fb67-4d84-bdcf-b95ad541b5c8.

  4. Leave the other settings the same, unless you have changed tenants and need to change the tenant IDs. If you update the Issuer field, take care to include the trailing slash at the end. For more information about each of the fields, see User configuration values.

  5. Once you finish configuring settings, click Review + create to save your settings.

  6. Click Create to update the gateway. This takes about 5 minutes to complete.

Update VPN client settings

When you make a change to a P2S gateway, you typically need to generate and download a new VPN client profile configuration package. This package contains the updated settings from the P2S VPN gateway. If you're configuring new Azure VPN Clients, you must generate this configuration package.

However, when you update only the Audience or tenant values, you have a couple of options when reconfiguring already deployed Azure VPN Clients.

  • If the Azure VPN Client is already configured to connect to this P2S gateway, you can manually update the VPN client.

  • If you've updated multiple values on the P2S gateway, or you want easily update the VPN clients by importing the new values, you can generate and download a new P2S VPN client profile configuration package and import it to each client.

Update an Azure VPN Client

These steps help you update the Azure VPN Client manually, without using the profile configuration package.

  1. Launch the Azure VPN Client app.
  2. Select the VPN connection profile that you want to update.
  3. Click ..., then Configure.
  4. Update the Audience field to the new Audience value. This value must match the P2S gateway value to which this client connects.
  5. If you also updated the Tenant ID values, change them on the client. These values must match the P2S gateway values.
  6. Click Save to save the settings.

Update using a profile configuration package

If you want to use the VPN client profile configuration files to configure your Azure VPN Client, you can generate a profile configuration package that contains the new P2S gateway settings.

You can download global (WAN-level) profiles, or a profile for a specific hub. For information and additional instructions, see Download global and hub profiles. The following steps walk you through downloading a global WAN-level profile.

  1. To generate a WAN-level global profile VPN client configuration package, go to the virtual WAN (not the virtual hub).

  2. In the left pane, select User VPN configurations.

  3. Select the configuration for which you want to download the profile. If you have multiple hubs assigned to the same profile, expand the profile to show the hubs, then select one of the hubs that uses the profile.

  4. Select Download virtual WAN user VPN profile.

  5. On the download page, select EAPTLS, then Generate and download profile. A profile package (zip file) containing the client configuration settings is generated and downloads to your computer. The contents of the package depend on the authentication and tunnel choices for your configuration.

Next steps

Configure P2S User VPN for Microsoft Entra ID authentication – Microsoft-registered app for more information about configuring P2S VPN gateways for Microsoft Entra ID authentication.