Forum Discussion

RhysLwk's avatar
RhysLwk
Copper Contributor
Apr 09, 2020

Create site-to-site VPN to Azure Active Directory

Hi All,

 

      My client is current Office 365 E3 users. They would like to using Office365 credential to login their workstation with Azure AD joined device. But their requirements that all their staffs is not allowed access direct internet,  but only allowed through established a VPN tunnel to connect the services due to security purpose.

 

      In this case, can i build a site-to-site VPN tunnel from router to connect Azure Active Directory which come with Office365?

 

      Staying Healthy!

 

 

  • JonasBack's avatar
    JonasBack
    Steel Contributor
    What you should design for is ”Zero Trust Security Model”. Only allow access to the customer’s Office 365 if the device is Azure AD Joined, Intune Compliant and MFA using Azure AD Conditional Access. Doesn’t get more secure than that - VPN is old legacy technology 🙂 Not possible to do what you ask for.

    You’d need Microsoft 365 license for this though.
  • Thijs Lecomte's avatar
    Thijs Lecomte
    Bronze Contributor
    You are trying to authenticate computers that cannot go to the internet to a cloud service 🙂
    It's not possible.

    You could setup Azure Acctive Directory Domain Servers and do a VPN there.
    But for air gapped environments, I would advise to continue to use an on-prem AD.

    AAD just doesn't make sense here.
  • Moe_Kinani's avatar
    Moe_Kinani
    Bronze Contributor
    Use conditional access to allow access from trusted locations only.

    Agree with what mentioned above, not possible!

    Thanks!
    Mahmood
  • Hello RhysLwk !

     

    Best way to secure the authentication with Azure AD is to 

    • Configure Trusted locations 
    • Set up Conditional Access policies
    • Set up Compliance policies for you Azure AD Joined computers. 
    • Activate MFA 

    A combination of the above featues will make your environemnt very well protected and secure if configured correct. 

     

    Sadly, VPN is old technology and from my knowledge, it's not possible to set up a VPN to Azure AD ( Maybe Azure ADDS ) 

     

    If your environment still belives that the above solutions are not secure enoug. Then I would suggest with keeping on-prem ADDS and ADFS perhaps to manage authentication and SSO towards O365 and other SaaS applications. 

     

    Let me know if you need further advice. 

     

    Kind Regards 
    Oliwer Sjöberg

Resources