Edit

Share via

Enable multifactor authentication (MFA) for P2S VPN - Microsoft Entra ID authentication

  • Article

If you want users to be prompted for a second factor of authentication before granting access, you can configure Microsoft Entra multifactor authentication (MFA). You can configure MFA on a per user basis, or you can leverage MFA via Conditional Access.

  • MFA per user can be enabled at no-additional cost. When you enable MFA per user, the user is prompted for second factor authentication against all applications tied to the Microsoft Entra tenant. See Option 1 for steps.
  • Conditional Access allows for finer-grained control over how a second factor should be promoted. It can allow assignment of MFA to only VPN, and exclude other applications tied to the Microsoft Entra tenant. See Option 2 for configuration steps. For more information about Conditional Access, see What is Conditional Access?

Enable authentication

  1. Navigate to Microsoft Entra ID -> Enterprise applications -> All applications.
  2. On the Enterprise applications - All applications page, select Azure VPN.

Configure sign-in settings

On the Azure VPN - Properties page, configure sign-in settings.

  1. Set Enabled for users to sign-in? to Yes. This setting allows all users in the AD tenant to connect to the VPN successfully.
  2. Set User assignment required? to Yes if you want to limit sign-in to only users that have permissions to the Azure VPN.
  3. Save your changes.

Option 1 - Per User access

Open the MFA page

  1. Sign in to the Azure portal.
  2. Navigate to Microsoft Entra ID -> Users.
  3. On the Users - All users page, select Per-user MFA to open the Per-user multifactor authentication page.

Select users

  1. On the multi-factor authentication page, select the user(s) for whom you want to enable MFA.
  2. Select Enable MFA.

Option 2 - Conditional Access

The recommended way to enable and use Microsoft Entra multifactor authentication is with Conditional Access policies. For granular configuration steps, see the tutorial: Require multifactor authentication.

  1. Sign in to the Microsoft Entra admin center as at least a Conditional Access Administrator.

  2. Browse to Protection > Security Center>Conditional Access, select + New policy, and then select Create new policy.

  3. On the New pane, enter a name for the policy, such as VPN Policy.

  4. Complete the following fields:

    Field Value
    What does this policy apply to? Users and groups
    Assignments Specific users included
    Include Select users and groups. Select the checkbox for Users and groups
    Select Select at least one user or group

  5. On the Select page, browse for and select the Microsoft Entra user or group to which you want this policy to apply. For example, VPN Users, then choose Select.

Next, configure conditions for multifactor authentication. In the following steps, you configure the Azure VPN Client app to require multifactor authentication when a user signs in. For more information, see Configure the conditions.

  1. Select the current value under Cloud apps or actions, and then under Select what this policy applies to, verify that Cloud apps is selected.

  2. Under Include, choose Select resources. Since no apps are yet selected, the list of apps opens automatically.

  3. In the Select pane, select the Azure VPN Client app, then choose Select.

Next, configure the access controls to require multifactor authentication during a sign-in event.

  1. Under Access controls, select Grant, and then select Grant access.

  2. Select Require multifactor authentication.

  3. For multiple controls, select Require all the selected controls.

Now, activate the policy.

  1. Under Enable policy, select On.

  2. To apply the Conditional Access policy, select Create.

Next steps

To connect to your virtual network, you must create and configure a VPN client profile. See Create a P2S User VPN connection using Azure Virtual WAN - Microsoft Entra authentication.