MFA for P2S Azure VPN

Question

Hello,

I'm trying to find out some info about MFA for accessing Azure P2S VPN.

I am trying to set up P2S VPN. I have already configured all with regards to P2S VPN, downloaded Azure VPN client etc. Authentication is Azure Active Directory. Now, all users already have MFA enforced in O365 and AZ AD has this O365 Free licence. I'm not sure whether this licence is enough for enabling MFA when connecting to P2S Azure VPN. Today, I've tried to connect to Azure via P2S VPN and it asked me for a CODE that was sent to my phone (and received with no issue). However, when I disconnected and tried to connect again, it did not ask me for CODE sent to a phone again - not even asked for username/password.

is this the way it should work? Shouldn't I get CODE to my phone every time I want to connect to the VPN?
I've found a guide about enabling MFA for Azure P2S VPN by creating a "Conditional Access" for Azure VPN in Enterprise Application in AZ AD. When I follow that guide, I can't complete it as it asks me to upgrade the AZ AD licecne to Premium when in Conditional Access section.

I'm a bit confused now... whether the MFA is actually working for me or not :)

Accepted Answer

@michal

Answering your questions here-

Is this the way it should work? Shouldn't I get CODE to my phone every time I want to connect to the VPN?

The Azure AD default configuration for user sign-in frequency is a rolling window of 90 days. If you would like to change it, here some recommendations given for the same in this document.

I've found a guide about enabling MFA for Azure P2S VPN by creating a "Conditional Access" for Azure VPN in Enterprise Application in AZ AD. When I follow that guide, I can't complete it as it asks me to upgrade the AZ AD licecne to Premium when in Conditional Access section.

As you mentioned, using Conditional Access does require additional Azure AD Premium P1 license as given in document.

Hope this helps. If you need any further assistance regarding this issue, please feel free to add to this issue and we will be glad to assist. Thank you and have a good day!

Remember:

Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how.
Want a reminder to come back and check responses? Here is how to subscribe to a notification.

Answer

@FJcmdk4488
yes... I used the same laptop... and it was within 10 minutes... Here is the story:

I did set up that P2S VPN few weeks ago and tested it. At that time, I did not have MFA enforced to my account in O365 Admin
Yesterday, I returned back to this and tested the connection again. This time, I already had MFA enforced via O365 Admin, as I was enforcing it few days ago to increase security. Now, it asked me for verification CODE... When I've tried to connect 2nd time, I was connected via asking a CODE again. Used same laptop within 10 minutes. Didn't check the VPN GW for connection, but I was definitely connected as I could reach the VM in Azure.

@SaiKishor-MSFT
I’ve just got confused as a guy tried to convince me that if I want to use MFA for P2S VPN to Azure, I have to have AZ AD Premium - Im not very experienced in this yet. But if I understand you correctly, it will work also with O365 licence when I have MFA enforced for users in O365 Admin? Just want to be clear on this to avoid spending money on PREMIUM AD if not required. This is the only “extra” feature I need. Not asking for the code during my 2nd access seems to be clear now when considering sign-in frequency

To sum it up - to connect to Azure P2S VPN with AZAD + MFA authentication works with MFA enforced in O365 Admin even without AZAD Premium licence.... Do I get it right? :)

Share via

MFA for P2S Azure VPN

1 additional answer

Your answer