Azure Point-to-Site VPN with Azure AD Authentication and MFA

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
in this video I show you how to configure a point to site VPN connection to Azure with Azure ad and multi-factor authentication hello everyone a couple weeks ago I did a video going over the basics of Azure point to site VPNs and then created a VPN connection on a basic gateway with certificate based authentication check it out if you need an overview of Azure point to cite VPNs a basic gateway is what I use in my lab because I use Windows clients and because it's cheap but managing certificates for client access is not always practical in this video I walk through setting up a point to site VPN tunnel using Azure ad and multi-factor authentication to authenticate the client before that please take a second to subscribe like share and click the bell icon to get notifications of new content you wouldn't want to miss new content would you just a quick overview before we get started again if you need the basics of Azure point 2 site connections check out my other video I'll include a link below in this video I deploy a standard VPN gateway Azure authentication for point to site VPN requires the Open VPN protocol and that's not an option with the basic gateway once the Gateway is in place we can create the point to site VPN with Azure ad authentication we have three options available for authentication I did certificate in the last video and I don't plan on doing a video on radius using Azure ad authentication also provides the ability and enforce MFA for VPN connections as well as targeting users who can login based on group membership this makes managing who can access the VPN much simpler and much more secure let's dig in this demo starts with a working v-net in place we're going to deploy the Gateway give admin consent to the VPN application create a point to site connection configure the client enable MFA with us conditional access policy and restrict the VPN connection to a group Here I am starting out at the azure portal and I need to create a gateway so the first thing I'm going to do is create a resource and type in v-net gateway here it is virtual network gateway and I'll create it I'll leave my subscription as it is I'll give it a name I'll call this West gw1 the virtual network I'm using is in the West region so I'm gonna select West these do have to be in the same region there it is West us I'll leave a route based for the SKU I'm gonna leave it as VPN gw1 and I'll just leave it as generation 1 and then I'll select my virtual network West be net here it's asking for a subnet address range I could leave this as is it will work fine but I'm gonna change this I want to put the Gateway in a subnet that's not part of my consecutive subnets I'm just gonna change it to 250 4.0 I don't need the entire slash 24 range I'm just gonna set it to a slash 27 that will give me 32 addresses I'll create a new public IP address and I'll give it the IP address name of let's go West GW 1 IP I'll leave the last two items as disabled and I'll click next two tags I'm gonna leave tags blank for now and then I'll go to review and crate and I'll select create deploying v-net gateways can take up to 45 minutes so I'm gonna pause the video here and I'll be back once it's done the deployment has completed now the next step is to give admin consent to the app give you admin consent is going to create the application in Azure ad this only needs to be done once in the azure ad tenant so I'm gonna go over to another window there's a URL we need to go to to give admin consent check below for any of the links I use in this demo login with an admin account source from Azure ad once you log in it'll ask you to accept the permissions just click accept and that should do it I already did this so I'm going to close this out if we now go into Azure Active Directory and go to enterprise applications you can see right here I have a sure VPN we'll come back to the shortly before we move on we need to get the tenant ID from Azure Active Directory so let's go back to Azure Active Directory and go into properties next we'll grab this tenant I be I'm just going to copy it to the clipboard I'm gonna paste that into a notepad and another screen we need to come back to this in a couple minutes now that we have the tenant ID let's go set up the connection we do that by going into our virtual networks we'll go to the B net we just created the gateway on and select the Gateway we just created and we'll go to user VPN configuration you go to configure now I'll add the address pool this is the pool of IP addresses that the clients are gonna get when they connect I'll give it a 172 address it really doesn't matter what address range you use for this as long as you have sufficient IP addresses for the number of clients connecting and this address space doesn't overlap with any address spaces used in Azure or on-premises in my previous video we used a basic v-neck gateway and I didn't have a tunnel type option here I do and that's because we're using a standard v-neck gateway this time so you can see I have different options I'm going to leave it as open VPN and I'm gonna change the authentication type to Azure Active Directory here's where that we need that tenant IB notice it's giving the example here it's not just lieutenant ID but a whole link for it so I'm going to copy this add my tenant ID next is audience this is the same for everybody I'll include this on my blog and include a link to where I got this information from the issuer is another URL with a tenant ID at the end once that's in place click Save and we'll give it a minute to finish that finished saving let's configure the client next we start by going to download VPN client once that's finished downloading we'll install the VPN client the azure VPN client is available at the Microsoft Store I just did a Google search for as your VPN client I'll go to get it'll open up the store while I'm in the store I'll go to install that finished installing next let's go to the download folder and unzip that configuration file we downloaded here it is I'm just going to right click and extract all here's the extracted folder we have a generic version of the config file and Azure VPN version next let's configure the client I'm going to open the add your VPN client and I'm going to go to the admin connection and I'm going to import from here I'll go to the folder we extracted the config files to go into Azure VPN and select the azure bpmconfig ml and everything we need is all set so I'll save let's give it a try I'm gonna go to connect and I'll sign in with an azure ad user and I'm just gonna uncheck this and then click now sign into this app only there it is I'm connected I have a VPN IP address of 172 dot 16.2 54.2 I'll disconnect great so far everything's working as expected next let's set up MFA here we are back at the azure portal and we're gonna set up MFA the first thing we have to do is go to Azure Active Directory go to enterprise applications and find that Asscher VPN we go back to it and over here on the left you can see it under security conditional access so let's click that and we'll create a new policy and I'm going to give it a name I'll just call this VPN MFA here I can set users in groups I'm going to set it to all users under cloud apps or actions we already have Azure VPN selected and then we go to grant and select require multi-factor authentication and if you did want to set other controls you could select them here but I'm just working with MFA and require all the selected controls and I'll click select and the last thing I have to change is enable the policy if you just want to see what happens you can leave it as a report only and come back and see when that conditions met but I'm going to turn it on and I'll create now that conditions enabled and if I come back I'm going to reconnect I'll use the same account it's asking me for more information this is the onboarding process for MFA so I'll click Next and I'm going to use the Authenticator app so I'll click Next we'll walk through the wizard to set up my account I just scan that QR code with the Authenticator app and for those of you who haven't used Azure ad MFA the Authenticator app is just a smartphone app you can download and install now my app is asking me to approve the login and there we go I'm on boarded for MFA I'm not going to select that because I'm logging in with different accounts Here I am now I'm connected again and I'm going to disconnect I'm logging in with user 1 and currently any user can log in but I want to set some restriction on that so only a group of users can login so I'm going to restrict the VPN connections to a group I'll go back to that enterprise application and go to properties and change user assignment required from no to yes and click Save next I'll go to users and groups and they'll click add user and I've got a group called VPN users I'm going to select that and assign now before I try to log it in again I'm going to go to configure and clear the saved account and connect that way I have to log in again and I'll get the authenticator prompt because MFA is required i approve the request on the Authenticator and now I'm getting a message that something went wrong we go back to the portal and go into VPN users and let's look at members I only have one member in their test 2 user 2 and I tried signing in with test 1 user 1 which are kind of confusing names but it's what I came up with at the time so I'm going to try to connect again and again I'm gonna go to configure clear saved accounts and that just gets rid of any cached account credentials that I have set up I'll save I'm gonna connect again this time I'm going to use test2 user two and now I have to unboard again because MFA is enabled I'll just walk through the process and come right back ok so I'm done and I'll just uncheck that and now I'm connected so that's working exactly as expected let's see what do we go over well over deploy in the gateway we granted admin consent that created the enterprise application and azure ad we created the point to site connection then we configured the client and tested the login after that we enabled multi-factor authentication with a conditional access policy there is one other thing I want to go over quick before I am this i used a conditional access policy to enforce MFA you can only use a conditional access policy if you have as you're a b premium p1 or above i assume that most people especially anybody with enterprises who are looking at this probably has p1 licensing in place if you don't I'm gonna show you how to enable it per user we can go over to Azure Active Directory users under all users preview you can go to multi-factor authentication this is going to open up another window here I can search and I can find my user I can enable MFA on that user if I want to enforce MFA or I can manage user settings so here we can require selected user to provide contact methods again delete all existing app passwords generated by the selected user or restore multi-factor authentication on all remember devices so that's the process of enabling MFA per user it's not as flexible as conditional access but that's why conditional access comes at a premium that is it for the demo I hope you found this helpful don't forget to subscribe and like if you enjoyed it thanks for watching you
Info
Channel: Travis Roberts
Views: 14,589
Rating: 4.9631901 out of 5
Keywords:
Id: Ur0WNjnXJrU
Channel Id: undefined
Length: 14min 54sec (894 seconds)
Published: Sun Jun 21 2020
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.