Forum Discussion
How Do I Target the Azure VPN Client in a Conditional Access Policy?
The Azure VPN Client application is pre-registered by Microsoft and, as a result, does not appear in the Enterprise Applications list. To enforce Conditional Access (CA) policies, you must either reference the appropriate Audience GUID (for example, c632b3df-fb67-4d84-bdcf-b95ad541b5c8) or migrate to the Microsoft-registered Azure VPN Client, which provides its own supported Audience values. This behavior is documented by Microsoft, along with guidance on how to configure or migrate the Audience to ensure proper targeting with Conditional Access.
Both articles explain the difference between Microsoft-Registered and manually registered apps. My question is still about how do I target the Microsoft-Registered app in a conditional access policy? When I attempt to create a policy, I can't find Azure VPN Client resource as an option. If I enter "Azure VPN" to search in All Apps, no results.
I am facing the same problem. From what I found it's "by design" that there is not an enterprise app exposed. I found this article yesterday about setting a custom audience value. You create a custom enterprise app and in the "Expose an API" section you put in the Microsoft audience value. I was so hopeful this was the way, and after changing the audience value in the VPN gateway setup to the custom value and adding the custom enterprise app to my CA policy, I was prompted for MFA
https://learn.microsoft.com/en-us/azure/vpn-gateway/point-to-site-entra-register-custom-app
