Forum Discussion

cmiarshvac's avatar
cmiarshvac
Brass Contributor
Jan 19, 2026

How Do I Target the Azure VPN Client in a Conditional Access Policy?

I am using the Azure VPN Client to connect users to an Azure VPN Gateway using their Entra ID credentials to authenticate.  I want to target this application with a CA policy that requires MFA every time it connects.  The problem is that I don't see the applications in my Enterprise Apps and all of my searching says that it won't appear because it was "pre-certified" by Microsoft.  In the Gateway setup I used the Audience GUID of

c632b3df-fb67-4d84-bdcf-b95ad541b5c8. 

And this is working as expected.  The only solution that I have found for targeting the Azure VPN Client app is to create a Service Principal using that Audience GUID.  This seems like a bit of a hack, so I am posting here to see if there are any other methods that I am missing to target this app when it doesn't appear in my Enterprise Apps list.

 

Authentication
Azure AD
Identity
multi-factor authentication
powershell

3 Replies

  • Kidd_Ip's avatar
    Kidd_Ip
    MVP
    Jan 20, 2026

    The Azure VPN Client application is pre-registered by Microsoft and, as a result, does not appear in the Enterprise Applications list. To enforce Conditional Access (CA) policies, you must either reference the appropriate Audience GUID (for example, c632b3df-fb67-4d84-bdcf-b95ad541b5c8) or migrate to the Microsoft-registered Azure VPN Client, which provides its own supported Audience values. This behavior is documented by Microsoft, along with guidance on how to configure or migrate the Audience to ensure proper targeting with Conditional Access.

     

    Migrate manually registered Azure VPN client to Microsoft-registered for P2S Microsoft Entra ID authentication - Azure VPN Gateway | Microsoft Learn

     

    Migrate a manually registered Azure VPN client to Microsoft-registered for P2S Microsoft Entra ID authentication - Azure Virtual WAN | Microsoft Learn

    • cmiarshvac's avatar
      cmiarshvac
      Brass Contributor
      Jan 20, 2026

      Both articles explain the difference between Microsoft-Registered and manually registered apps. My question is still about how do I target the Microsoft-Registered app in a conditional access policy?  When I attempt to create a policy, I can't find Azure VPN Client resource as an option.  If I enter "Azure VPN" to search in All Apps, no results. 

       

      • NegativeProto's avatar
        NegativeProto
        Copper Contributor
        Jan 22, 2026

        I am facing the same problem. From what I found it's "by design" that there is not an enterprise app exposed. I found this article yesterday about setting a custom audience value. You create a custom enterprise app and in the "Expose an API" section you put in the Microsoft audience value. I was so hopeful this was the way, and after changing the audience value in the VPN gateway setup to the custom value and adding the custom enterprise app to my CA policy, I was prompted for MFA

        https://learn.microsoft.com/en-us/azure/vpn-gateway/point-to-site-entra-register-custom-app