Issue with Azure VPN Point-to-Site Authentication Using Azure AD (Entra ID) – Users Not Restricted by New App Registration

Question

Problem Description:

We have configured Point-to-Site (P2S) VPN on our Azure Virtual Network Gateway using Azure Active Directory (Entra ID) authentication. Initially, we added all users to the Enterprise Application "Azure VPN", and everything was working fine.

Now, we want to separate users into different groups for DEV and PROD environments. To achieve this, we:

1. Created a new App Registration following the Microsoft documentation: 👉 Register an application for custom VPN authentication
2. Updated the Application (client) ID of the new App Registration as the Audience in the Virtual Network Gateway's P2S VPN Configuration.
3. Assigned only specific users to the new App Registration.

Issue Faced:

Despite assigning only specific users to the new App Registration, users who are not part of this new registration are still able to log in to the VPN.

Expected Behavior:

Only users assigned to the new App Registration should be allowed to authenticate via Azure AD and connect to the VPN.

Troubleshooting Steps Taken:

• Verified that the Application (client) ID of the new App Registration is correctly set as the Audience in the Virtual Network Gateway.
• Checked Azure AD logs to confirm authentication requests.
• Confirmed that only the intended users are assigned to the new App Registration.

Questions for the Community:

1. Does Azure Virtual Network Gateway cache authentication settings? If so, how can we force it to recognize the new App Registration settings immediately?
2. Are there additional configuration changes required to restrict access only to users assigned in the new App Registration?
3. Is there a way to verify which App Registration Azure VPN is actually using for authentication?

Answer 1

Hi @Harish,

Greetings!

Does Azure Virtual Network Gateway cache authentication settings? If so, how can we force it to recognize the new App Registration settings immediately?

No, the Virtual Network Gateway does not cache authentication settings. Changes to the App Registration (Client ID) should take effect immediately. Please regenerate and redistribute the VPN client profile to ensure clients use the latest settings after the audience ID is updated on the Azure VPN P2S.

Are there additional configuration changes required to restrict access only to users assigned in the new App Registration?

Please change the settings on the app registration to Set User assignment required? to Yes in the Enterprise Application (Azure AD --> Enterprise Apps --> Azure VPN --> Properties).

• If this option is set to yes, then users and other apps or services must first be assigned this application before being able to access it.
• If this option is set to no, then all users will be able to sign in, and other apps and services will be able to obtain an access token to this service.

Is there a way to verify which App Registration Azure VPN is actually using for authentication?

Go to the VPN client, select the diagnose option, and then choose the show logs directory. There, you will find the App Registration ID in the logs.

Kindly let me know if the issue still persists or if they have any additional questions.

---

Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.