VPN access to Azure from macOS with Azure Active Directory authentication
Published May 31 2021 03:00 AM 9,926 Views
Microsoft

Whether you are using Microsoft Azure for development, for production workloads, or for both, it's important to consider the security of the connections to those cloud systems. Virtual private networks are often used to encrypt traffic between a device and Azure using a private tunnel over the public internet - especially for information and systems you don't want to be made available to the public or open to the possibility of being captured and read. At scale, a site-to-site VPN can be configured to the internet router used by an office (or home office) so the VPN connection can be used by all the devices on that network. But you can also set up a point to site VPN between just one device and Azure - especially useful for laptops and staff who travel or work from home.

 

Establishing a VPN connection requires some sort of authentication method - commonly a certificate or a username & password. Microsoft Azure point-to-site connections support Azure certificate authentication, authentication with a RADIUS server, or Azure Active Directory authentication with the OpenVPN(r) protocol. Active Directory authentication was limited to only Windows clients, but we've just announced a public preview of this capability for macOS.

 

This means that your macOS device will be able to establish a point-to-site VPN connection to Microsoft Azure using authentication with your Azure Active Directory credentials. And because you're using native Azure AD authentication, the additional security features of user-based risk policies, conditional access and multi-factor authentication can now also apply from your Mac device when connecting to the VPN. So, for example, you could ensure that macOS VPN connections are only established from allowed locations, or that other locations force a multi-factor-authentication challenge. Note: while authenticating your VPN with Azure Active Directory does not require any additional Azure AD licensing, some of the premium features (like conditional access) do have Azure AD licensing requirements - check the linked feature documentation for details.

 

Remember: Public preview features are subject to change and don't come with a Service Level Agreement. Learn more at Choose the right Azure services by examining SLAs and service lifecycle. 


Components of a Microsoft Azure Point-to-Site VPN from macOS with Azure Active Directory authentication

A point-to-site VPN connection from macOS to Microsoft Azure requires:

  • An Azure Active Directory tenant
  • An Azure virtual network
  • An Azure virtual network gateway, with the correct point-to-site configuration.
  • A macOS device with a correctly configured Azure VPN Client application.

Network architecture showing a point to site VPN from macOS to Microsoft AzureNetwork architecture showing a point to site VPN from macOS to Microsoft Azure

The detailed steps

Detailed documentation for each of steps is provided at Microsoft Docs and is updated should the product feature or steps change, but I'll link to each step in the process here.  To implement a VPN client for point-to-site OpenVPN protocol connections from macOS (preview):

Configure an Azure Active Directory tenant.  
Register the Azure VPN "Enterprise application" 
Create a virtual network 
Create a virtual network gateway 
Note: You can use an existing virtual network or virtual network gateway if you already have one.

Configure the virtual network gateway & download the VPN client (steps 9-13) 

 

Then on the macOS device:

Install the "Azure VPN Client" application from the Apple Store
Import the connection profile (using azurevpnconfig.xml from the VPN client you downloaded)

 

Now, when you connect to the Azure VPN, you'll be promoted for your Azure Active Directory credentials!

Azure AD sign-in for the macOS VPN to AzureAzure AD sign-in for the macOS VPN to Azure

 

Conclusion:

VPNs are an important component of network security, especially with a remote and mobile workforce. Azure Active Directory authentication for the VPN for macOS devices is easy to configure and lets you take advantage of other Azure AD security features you may be using for other devices in your organisation.  

 


Learn more:

What is a VPN Gateway? 
Explore Azure networking services 
Architect network infrastructure in Azure 
Implement network security in Azure

 

 



 

 

 

 

 

 

1 Comment
Co-Authors
Version history
Last update:
‎May 30 2021 09:08 PM
Updated by: