Create site-to-site VPN to Azure Active Directory

%3CLINGO-SUB%20id%3D%22lingo-sub-1296839%22%20slang%3D%22en-US%22%3ERe%3A%20Create%20site-to-site%20VPN%20to%20Azure%20Active%20Directory%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1296839%22%20slang%3D%22en-US%22%3EWhat%20you%20should%20design%20for%20is%20%E2%80%9DZero%20Trust%20Security%20Model%E2%80%9D.%20Only%20allow%20access%20to%20the%20customer%E2%80%99s%20Office%20365%20if%20the%20device%20is%20Azure%20AD%20Joined%2C%20Intune%20Compliant%20and%20MFA%20using%20Azure%20AD%20Conditional%20Access.%20Doesn%E2%80%99t%20get%20more%20secure%20than%20that%20-%20VPN%20is%20old%20legacy%20technology%20%3A)%3C%2Fimg%3E%20Not%20possible%20to%20do%20what%20you%20ask%20for.%3CBR%20%2F%3E%3CBR%20%2F%3EYou%E2%80%99d%20need%20Microsoft%20365%20license%20for%20this%20though.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1297410%22%20slang%3D%22en-US%22%3ERe%3A%20Create%20site-to-site%20VPN%20to%20Azure%20Active%20Directory%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1297410%22%20slang%3D%22en-US%22%3EYou%20are%20trying%20to%20authenticate%20computers%20that%20cannot%20go%20to%20the%20internet%20to%20a%20cloud%20service%20%3A)%3C%2Fimg%3E%3CBR%20%2F%3EIt's%20not%20possible.%3CBR%20%2F%3E%3CBR%20%2F%3EYou%20could%20setup%20Azure%20Acctive%20Directory%20Domain%20Servers%20and%20do%20a%20VPN%20there.%3CBR%20%2F%3EBut%20for%20air%20gapped%20environments%2C%20I%20would%20advise%20to%20continue%20to%20use%20an%20on-prem%20AD.%3CBR%20%2F%3E%3CBR%20%2F%3EAAD%20just%20doesn't%20make%20sense%20here.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1297869%22%20slang%3D%22en-US%22%3ERe%3A%20Create%20site-to-site%20VPN%20to%20Azure%20Active%20Directory%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1297869%22%20slang%3D%22en-US%22%3EUse%20conditional%20access%20to%20allow%20access%20from%20trusted%20locations%20only.%3CBR%20%2F%3E%3CBR%20%2F%3EAgree%20with%20what%20mentioned%20above%2C%20not%20possible!%3CBR%20%2F%3E%3CBR%20%2F%3EThanks!%3CBR%20%2F%3EMahmood%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1298643%22%20slang%3D%22en-US%22%3ERe%3A%20Create%20site-to-site%20VPN%20to%20Azure%20Active%20Directory%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1298643%22%20slang%3D%22en-US%22%3E%3CP%3EHello%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F544334%22%20target%3D%22_blank%22%3E%40RhysLwk%3C%2FA%3E%26nbsp%3B!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBest%20way%20to%20secure%20the%20authentication%20with%20Azure%20AD%20is%20to%26nbsp%3B%3C%2FP%3E%3CUL%3E%3CLI%3EConfigure%20Trusted%20locations%26nbsp%3B%3C%2FLI%3E%3CLI%3ESet%20up%20Conditional%20Access%20policies%3C%2FLI%3E%3CLI%3ESet%20up%20Compliance%20policies%20for%20you%20Azure%20AD%20Joined%20computers.%26nbsp%3B%3C%2FLI%3E%3CLI%3EActivate%20MFA%26nbsp%3B%3C%2FLI%3E%3C%2FUL%3E%3CP%3EA%20combination%20of%20the%20above%20featues%20will%20make%20your%20environemnt%20very%20well%20protected%20and%20secure%20if%20configured%20correct.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESadly%2C%20VPN%20is%20old%20technology%20and%20from%20my%20knowledge%2C%20it's%20not%20possible%20to%20set%20up%20a%20VPN%20to%20Azure%20AD%20(%20Maybe%20Azure%20ADDS%20)%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20your%20environment%20still%20belives%20that%20the%20above%20solutions%20are%20not%20secure%20enoug.%20Then%20I%20would%20suggest%20with%20keeping%20on-prem%20ADDS%20and%20ADFS%20perhaps%20to%20manage%20authentication%20and%20SSO%20towards%20O365%20and%20other%20SaaS%20applications.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ELet%20me%20know%20if%20you%20need%20further%20advice.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EKind%20Regards%26nbsp%3B%3CBR%20%2F%3EOliwer%20Sj%C3%B6berg%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1322561%22%20slang%3D%22en-US%22%3ERe%3A%20Create%20site-to-site%20VPN%20to%20Azure%20Active%20Directory%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1322561%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F544334%22%20target%3D%22_blank%22%3E%40RhysLwk%3C%2FA%3E%26nbsp%3Bthey%20are%20trying%20to%20protect%20themselves%20with%20the%20wrong%20approach.%20Their%20approach%20is%20like%20trying%20to%20avoid%20a%20car%20wreck%20by%20driving%20on%20a%20sidewalk%20where%20there%20are%20not%20any%20cars.%20Share%20this%20with%20them%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fclouddamcdnprodep.azureedge.net%2Fgdc%2FgdclfVmGo%2Foriginal%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fclouddamcdnprodep.azureedge.net%2Fgdc%2FgdclfVmGo%2Foriginal%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1296089%22%20slang%3D%22en-US%22%3ECreate%20site-to-site%20VPN%20to%20Azure%20Active%20Directory%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1296089%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20All%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20My%20client%20is%20current%20Office%20365%20E3%20users.%20They%20would%20like%20to%20using%20Office365%20credential%20to%20login%20their%20workstation%20with%20Azure%20AD%20joined%20device.%20But%20their%20requirements%20that%20all%20their%20staffs%20is%20not%20allowed%20access%20direct%20internet%2C%26nbsp%3B%20but%20only%20allowed%20through%20established%20a%20VPN%20tunnel%20to%20connect%20the%20services%20due%20to%20security%20purpose.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20In%20this%20case%2C%20can%20i%20build%20a%20site-to-site%20VPN%20tunnel%20from%20router%20to%20connect%20Azure%20Active%20Directory%20which%20come%20with%20Office365%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20Staying%20Healthy!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1296089%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Occasional Contributor

Hi All,

 

      My client is current Office 365 E3 users. They would like to using Office365 credential to login their workstation with Azure AD joined device. But their requirements that all their staffs is not allowed access direct internet,  but only allowed through established a VPN tunnel to connect the services due to security purpose.

 

      In this case, can i build a site-to-site VPN tunnel from router to connect Azure Active Directory which come with Office365?

 

      Staying Healthy!

 

 

5 Replies
What you should design for is ”Zero Trust Security Model”. Only allow access to the customer’s Office 365 if the device is Azure AD Joined, Intune Compliant and MFA using Azure AD Conditional Access. Doesn’t get more secure than that - VPN is old legacy technology :) Not possible to do what you ask for.

You’d need Microsoft 365 license for this though.
You are trying to authenticate computers that cannot go to the internet to a cloud service :)
It's not possible.

You could setup Azure Acctive Directory Domain Servers and do a VPN there.
But for air gapped environments, I would advise to continue to use an on-prem AD.

AAD just doesn't make sense here.
Use conditional access to allow access from trusted locations only.

Agree with what mentioned above, not possible!

Thanks!
Mahmood

Hello @RhysLwk !

 

Best way to secure the authentication with Azure AD is to 

  • Configure Trusted locations 
  • Set up Conditional Access policies
  • Set up Compliance policies for you Azure AD Joined computers. 
  • Activate MFA 

A combination of the above featues will make your environemnt very well protected and secure if configured correct. 

 

Sadly, VPN is old technology and from my knowledge, it's not possible to set up a VPN to Azure AD ( Maybe Azure ADDS ) 

 

If your environment still belives that the above solutions are not secure enoug. Then I would suggest with keeping on-prem ADDS and ADFS perhaps to manage authentication and SSO towards O365 and other SaaS applications. 

 

Let me know if you need further advice. 

 

Kind Regards 
Oliwer Sjöberg

@RhysLwk they are trying to protect themselves with the wrong approach. Their approach is like trying to avoid a car wreck by driving on a sidewalk where there are not any cars. Share this with them https://clouddamcdnprodep.azureedge.net/gdc/gdclfVmGo/original