A couple of years ago I made a post about monitoring Azure P2S VPNs using RADIUS authentication. While it worked well, using RADIUS authentication included a lot of “extra stuff” like running server infrastructure with the Network Policy Server role, turning on advanced logging, installing Log Analytics agents, etc.

Fast forward 2 years, and Microsoft has released Azure Active Directory (AD) native authentication for Azure P2S VPNs. This enables us to take a fresh look at security and monitoring for these connections.

Configuring the VPN Gateway for Azure AD Authentication

The intent of this post is not to explain how to configure an Azure P2S VPN to use Azure AD authentication, but rather how to secure and monitor it after the fact. The official documentation is pretty good, so we can just look to it to get that taken care of.

To configure the Azure tenant and Azure VPN Gateway, have a look here

To configure multiple Azure AD VPN applications when using multiple gateways, look here

Securing the Azure VPN – Application Settings

Once your VPN Gateway and Azure AD tenant are configured, you will have a new Azure AD application called “Azure VPN”. This is the application that users will authenticate against to gain access to the VPN. By default, the Azure VPN app allows any user in the Azure AD tenant to authenticate to the VPN. This is problematic, as there are almost certainly users we don’t want accessing the VPN, such as guests in the tenant or users who simply don’t need that level of access. To alleviate this, browse to Azure Active Directory in the Azure Portal. Browse to Enterprise Applications. Search for and find Azure VPN and go into it’s settings. Once in there, click on Properties in the left hand menu of the application. You will see a couple of options we want to adjust

User Assignment Required? Change this to YES Visible to Users? Change this to NO

The “User Assignment Required?” setting alters the application so that users must be explicitly assigned access to be able to successfully connect to the VPN. To assign users, browse to the “Users and Groups” menu item in the application and add Users or Groups there. If you plan to utilize multiple VPN Gateways and therefore multiple Azure VPN apps within Azure AD, you could make use of Dynamic Groups (requires Azure AD Premium P1 or higher) to automatically assign users of a particular department or team to a group that is assigned to a corresponding Azure VPN app. If a user attempts to connect to the VPN and is not an authorized user, they would receive the following error.

The “Visible to users?” setting will hide the application in the app list on sites such as https://myapplications.microsoft.com or the Office menu bar. Users cant make use of the VPN app from those areas, so it makes sense to hide it and prevent any confusion on the users part.

Securing the Azure VPN – Conditional Access

Authorizing a specific set of users to use the VPN is great, but we also want to make sure that those those users are properly authenticated. Conditional Access is a feature of Azure AD Premium P1 or higher that allows us to control under which conditions users may access, or not access, an application. Here are some controls that could be placed on authentications being made to the Azure VPN application:

Require MFA

Require the device be Intune compliant (would require an Intune license and configuration)

(would require an Intune license and configuration) Require the device be Hybrid Azure AD Joined (would require a hybrid identity configuration with Active Directory Domain Services)

(would require a hybrid identity configuration with Active Directory Domain Services) Allow authentications only from the the United States (or any particular set of countries)

(or any particular set of countries) Any combination of the above!

We recommend using conditional access rules that enforce MFA, at the very minimum. Microsoft’s data shows that simply using MFA can reduce an identity’s risk of compromise by 99.9%.

Monitoring the Azure VPN via Azure Monitor Logs

Now that our VPN Gateway is utilizing Azure AD authentication, we can glean insights from our Azure AD Sign-In Logs that have been piped to a Log Analytics Workspace (this exportation of logs requires Azure AD Premium P1 or higher).

The Sign-In logs contain all sorts of useful information such as Caller IP Address, MFA status, Conditional Access pass/fail status, timestamps, operating system, etc. We can use Log Analytics to query some or all of this information to gain operational insights into how users are interacting with the Azure VPN application. From there, we can create alerts on particular queries using Azure Monitor Alerts or Azure Sentinel, automatically respond to alerts using Azure Sentinel SOAR capabilities, or pin queries and charts to an Azure Dashboard (as seen below).

To start working with your Azure VPN app sign-in logs, browse to the Log Analytics Workspace holding the logs and run the following query:

SigninLogs | where AppDisplayName == "Azure VPN"

to summarize the events by their timestamps, try this query:

SigninLogs | where AppDisplayName == "Azure VPN" | summarize count = count() by TimeGenerated

CLOUDignition LLC can assist with maximizing your investment or kick-starting your transformation using Azure and Microsoft 365. If you believe we can be a resource for your company, please feel free to reach out.