This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(307.2, 57.99999999999999%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EG%3C/text%3E%3C/svg%3E)
Hi all, I'm trying to model a VPN connection to VNets/VMs in Azure using the MS Threat Modeling Tool and Azure Template
The template has a stencil for MFA, but I have no idea how to connect it in the diagram.
I've tried hooking MFA inline before/after the VPN and just having it hang out in the same trust boundary has the VPN but I always get a threat notification in the report about enabling MFA on the VPN connection.
How do I add MFA to a VPN in the threat model?
Thanks!
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(48, 36%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESM%3C/text%3E%3C/svg%3E)
In general, you can only use Azure MFA with Point to Site VPN and not a regular Azure Site to Site VPN. Can you explain the idea behind this design in the threat model?
Sorry I should have clarified this is a Point to Site VPN.
Here's a screen shot from the tool with my very basic example as a first step. No matter what I do with the MFA node I still get warning in the report about enabling MFA on the VPN.
We have a team who need to access various Azure resources (Windows file server, Linux software license server, compute cluster) securely from home workstations. Due to new restrictions on our subscription we will no longer be allowed to use public endpoints connected directly to resources so exploring VPN connections.
With P2S VPN, there are 3 types of user authentication which are,
MFA is not used by itself but can be used along with AD by the end user for authentication. Please try to use Azure AD instead of MFA and see if that works out. Thank you!
Please let us know if you have any further questions/concerns regarding this issue and we will be happy to answer you. Otherwise, we will go ahead and close this thread.
Thank you!
Thanks, I guess the main issue is I can't find any documentation or examples on how to actually implement any of the templates from here: https://github.com/AzureArchitecture/threat-model-templates
I've tried adding a Azure AD node to the graph but still get the same issue in the report about MFA.
Please allow me sometime, let me try to find more information on this. I will update you soon. Thank you!
Can you share the exact error that you are getting? Thank you!
Please let me know if you still need further assistance regarding this issue. Thank you!