Enable Microsoft Entra ID MFA for P2S VPN Users

Configuring Microsoft Entra ID Multi-Factor Authentication (MFA) for Point-to-Site (P2S) VPN connections enhances security by requiring users to verify their identity through an additional authentication factor. You can set up MFA either on a per-user basis or by using Conditional Access for more granular control.

Options for Configuring MFA

Option 1: Per-User Access

• Cost: Free to enable per-user MFA without additional licensing costs.
• Functionality: Users are prompted for MFA across all applications connected to the Microsoft Entra tenant.
• Steps: Refer to “Per-User Access” for detailed setup instructions.

Option 2: Conditional Access

• Cost: Requires Microsoft Entra ID P1, P2, or higher licensing.
• Functionality: MFA is applied selectively, such as only to VPN access, while excluding other applications. This approach provides fine-grained control over authentication requirements.
• Steps: See “Conditional Access” for configuration details. Learn more in What is Conditional Access?

Steps to Enable Authentication

1. Navigate to the Configuration Page:
   • Go to Microsoft Entra ID > Enterprise Applications > All Applications.
   • Select Azure VPN.
2. Configure Sign-In Settings:
   • On the Azure VPN – Properties page:
     • Enable Sign-In: Set Enabled for users to sign-in? to Yes to allow tenant-wide VPN connections.
     • Restrict Access: Set User assignment required? to Yes to limit VPN access to specific users with permissions.
   • Save changes.

Option 1: Per-User MFA Configuration

1. Access the MFA Settings:
   • Sign in to the Azure portal.
   • Navigate to Microsoft Entra ID > Users > Per-user MFA.
2. Enable MFA for Users:
   • On the Per-user Multifactor Authentication page, select the desired users.
   • Click Enable MFA to activate multi-factor authentication for these users.

Option 2: Conditional Access MFA Configuration

Conditional Access allows for detailed MFA control on a per-application basis.

Prerequisites:

• Microsoft Entra ID P1 or P2 licenses are required for users subject to Conditional Access rules.

Steps:

1. Open Conditional Access for Azure VPN:
   • Navigate to Microsoft Entra ID > Enterprise Applications > All Applications.
   • Select Azure VPN.
   • Click Conditional Access.
2. Create a New Policy:
   • Click New Policy to open the policy creation pane.
   • Go to Assignments > Users and Groups and:
     • Select Users and Groups.
     • Choose specific users or groups to apply MFA.
     • Click Done.
3. Configure Access Controls:
   • Go to Access Controls > Grant and:
     • Select Grant Access.
     • Check Require Multi-Factor Authentication.
     • Check Require all the selected controls.
     • Click Select.
4. Enable and Save the Policy:
   • In the Enable Policy section, set it to On.
   • Click Create to finalize the Conditional Access policy.

Next Steps

• Testing: After enabling MFA, test access with selected users to ensure proper functionality.
• Monitoring: Use Microsoft Entra logs and reports to track authentication activities and ensure policies are effectively applied.

By configuring MFA through either per-user or Conditional Access methods, you can enhance security for VPN users while tailoring the setup to your organizational needs.