Forum Discussion
How Do I Target the Azure VPN Client in a Conditional Access Policy?
I am using the Azure VPN Client to connect users to an Azure VPN Gateway using their Entra ID credentials to authenticate. I want to target this application with a CA policy that requires MFA every time it connects. The problem is that I don't see the applications in my Enterprise Apps and all of my searching says that it won't appear because it was "pre-certified" by Microsoft. In the Gateway setup I used the Audience GUID of
c632b3df-fb67-4d84-bdcf-b95ad541b5c8.
And this is working as expected. The only solution that I have found for targeting the Azure VPN Client app is to create a Service Principal using that Audience GUID. This seems like a bit of a hack, so I am posting here to see if there are any other methods that I am missing to target this app when it doesn't appear in my Enterprise Apps list.
1 Reply
The Azure VPN Client application is pre-registered by Microsoft and, as a result, does not appear in the Enterprise Applications list. To enforce Conditional Access (CA) policies, you must either reference the appropriate Audience GUID (for example, c632b3df-fb67-4d84-bdcf-b95ad541b5c8) or migrate to the Microsoft-registered Azure VPN Client, which provides its own supported Audience values. This behavior is documented by Microsoft, along with guidance on how to configure or migrate the Audience to ensure proper targeting with Conditional Access.
