Forum Discussion

terruahmad's avatar
terruahmad
Icon for Microsoft rankMicrosoft
Mar 06, 2025
Solved

Azure Alway-On VPN with SSO

Hi all,

I have a customer who likes to POC Azure always-on VPN.  Customer wants to avoid entering credentials to login to VPN.  Is there a document that shows the steps to enable SSO?  Is Intune required to enable SSO?

Thanks.

Alway on VPN
p2s
SSO
VPN
  • Kidd_Ip's avatar
    Kidd_Ip
    Mar 07, 2025

    Take this:

     

    Steps to Enable SSO:

    1. Configure Azure VPN Gateway:

    • Set up the Azure VPN Gateway to support IKEv2 and certificate-based authentication. This is essential for Always-On VPN.
    • Follow the Azure VPN Gateway configuration guide for detailed steps.

    2. Device Tunnel and User Tunnel:

    • Configure a Device Tunnel for pre-sign-in connectivity or a User Tunnel for post-sign-in access. Both tunnels can support SSO.
    • Refer to the Device Tunnel setup and User Tunnel setup for specific instructions.

    3. Enable SSO:

    • Use Microsoft Entra ID (formerly Azure AD) for authentication. This allows seamless SSO integration.
    • Ensure that the VPN client profile is configured to use Entra ID for authentication.

    4. Deploy VPN Profiles:

    • Deploy the VPN profiles to client devices using tools like Intune or Configuration Manager. Intune simplifies the deployment process but is not strictly required.

1 Reply

Sort By
  • Kidd_Ip's avatar
    Kidd_Ip
    MVP
    Mar 07, 2025

    Take this:

     

    Steps to Enable SSO:

    1. Configure Azure VPN Gateway:

    • Set up the Azure VPN Gateway to support IKEv2 and certificate-based authentication. This is essential for Always-On VPN.
    • Follow the Azure VPN Gateway configuration guide for detailed steps.

    2. Device Tunnel and User Tunnel:

    • Configure a Device Tunnel for pre-sign-in connectivity or a User Tunnel for post-sign-in access. Both tunnels can support SSO.
    • Refer to the Device Tunnel setup and User Tunnel setup for specific instructions.

    3. Enable SSO:

    • Use Microsoft Entra ID (formerly Azure AD) for authentication. This allows seamless SSO integration.
    • Ensure that the VPN client profile is configured to use Entra ID for authentication.

    4. Deploy VPN Profiles:

    • Deploy the VPN profiles to client devices using tools like Intune or Configuration Manager. Intune simplifies the deployment process but is not strictly required.

Resources