Forum Discussion

cmiarshvac's avatar
cmiarshvac
Brass Contributor
Jan 19, 2026

How Do I Target the Azure VPN Client in a Conditional Access Policy?

I am using the Azure VPN Client to connect users to an Azure VPN Gateway using their Entra ID credentials to authenticate.  I want to target this application with a CA policy that requires MFA every ...
Authentication
Azure AD
Identity
multi-factor authentication
powershell
cmiarshvac's avatar
cmiarshvac
Brass Contributor
Jan 20, 2026

Both articles explain the difference between Microsoft-Registered and manually registered apps. My question is still about how do I target the Microsoft-Registered app in a conditional access policy?  When I attempt to create a policy, I can't find Azure VPN Client resource as an option.  If I enter "Azure VPN" to search in All Apps, no results. 

 

NegativeProto's avatar
NegativeProto
Copper Contributor
Jan 22, 2026

I am facing the same problem. From what I found it's "by design" that there is not an enterprise app exposed. I found this article yesterday about setting a custom audience value. You create a custom enterprise app and in the "Expose an API" section you put in the Microsoft audience value. I was so hopeful this was the way, and after changing the audience value in the VPN gateway setup to the custom value and adding the custom enterprise app to my CA policy, I was prompted for MFA

https://learn.microsoft.com/en-us/azure/vpn-gateway/point-to-site-entra-register-custom-app