How to set up Always On VPN using Azure VPN gateway, Entra ID and Azure certificate

Randolph Graham | 21st November 2023 | Azure

Always On VPN is a feature in Windows 10 that allows remote users to securely access corporate resources over the internet, without requiring user interaction or device management. Always On VPN can be configured to use either user or device certificates for authentication, depending on the deployment scenario and the security requirements. In this blog post, I will show you how to set up Always On VPN using Azure VPN gateway, Entra ID and Azure certificate, which is a new option introduced in Windows 10 version 2004.

What are the benefits of using Azure VPN gateway, Entra ID and Azure certificate?

Using Azure VPN gateway, Entra ID and Azure certificate for Always On VPN has several benefits, such as:

  • Simplifying the VPN infrastructure and deployment by leveraging the cloud-based Azure VPN gateway service, which can provide scalable and highly available VPN connections to your virtual network.
  • Enhancing the security and compliance by enforcing device health and conditional access policies, which can block or allow VPN access based on the device state and the user context.
  • Improving the user experience and productivity by providing a seamless and transparent VPN connection, which can automatically connect before the user logs on or when the device is not on the corporate network.

What are the prerequisites and steps to set up Always On VPN using Azure VPN gateway, Entra ID and Azure certificate?

To set up Always On VPN using Azure VPN gateway, Entra ID and Azure certificate, you need to have the following prerequisites:

  • A Microsoft 365 E3 or E5 license, or an Intune license for each user or device that you want to protect.
  • A Microsoft Entra ID tenant that is associated with your Microsoft 365 or Intune subscription.
  • A Microsoft Entra ID global administrator account that has access to the Microsoft Entra admin center and the Intune portal.
  • A virtual network and a VPN gateway in Azure that supports IKEv2 and EAP-TLS authentication, such as a VpnGw1 or higher SKU.
  • A device that runs Windows 10 version 2004 or later, and is enrolled in Intune.

The configuration steps are as follows:

  1. Enable Entra ID as a certificate authority: In the Microsoft Entra admin center, go to Devices > Enrolment > Certificate Connectors, and click on Add. Enter a name for the connector, and download the setup file. Run the setup file on a Windows server that has internet access, and sign in with your Microsoft Entra ID global administrator account. The setup will install the NDES role on the server, and register the server as a certificate connector in Entra ID.
  2. Export the trusted root CA certificate: To use device certificate for Always On VPN, devices must trust your root CA. To establish trust, export the Trusted Root CA certificate, and any intermediate or issuing CA certificates, as a public certificate (.cer) file. You can get these certificates from the issuing CA, or from any device that trusts your issuing CA. You’ll use this .cer file when you create trusted certificate profiles to deploy that certificate to your devices.
  3. Create and assign a trusted certificate profile: Create and assign a trusted certificate profile before you create a device certificate profile. Deploying a trusted certificate profile to the same groups that receive the device certificate profile ensures that each device can recognize the legitimacy of your CA. This includes profiles like those for VPN, Wi-Fi, and email. Device certificate profiles directly reference a trusted certificate profile. Deploying a trusted certificate profile to devices ensures this trust is established. When a device doesn’t trust the root CA, the device certificate profile policy will fail. Create a separate trusted certificate profile for each device platform you want to support, just as you’ll do for device certificate profiles.
  4. Create and assign a device certificate profile: Create and assign a device certificate profile for the device certificate and provisioning method you want to use. You can specify the settings and policies for the certificate, such as the subject name, the validity period, the key size, the certificate template, the certificate file, the password, and the certificate store. You can also assign the certificate profile to the same groups that receive the trusted certificate profile. Create a separate certificate profile for each device platform you want to support, just as you’ll do for the trusted certificate profile.
  5. Create and assign a VPN profile: In the Intune portal, go to Devices > Configuration profiles > Create profile. Enter a name and description for the profile, and select Windows 10 and later as the platform, and VPN as the profile type. Click on Create, and then configure the VPN settings, such as the connection name, the server name or address, the authentication method (EAP-TLS), and the certificate type (Entra ID). Click on OK, and then assign the profile to the devices or groups that you want to enable Always On VPN for.
  6. Monitor and troubleshoot the VPN deployment: After deploying the certificate and VPN profiles, you can monitor and troubleshoot the VPN deployment by checking the device configuration status and logs in the Intune portal. You can also view the VPN connection details and properties on the devices.

Conclusion

Always On VPN is a powerful and convenient feature that allows remote users to securely access corporate resources over the internet. It provides authenticated and encrypted access to your virtual network, and supports device health and conditional access policies. To set up Always On VPN using Azure VPN gateway, Entra ID and Azure certificate, you need to have the appropriate licenses and roles, and follow the steps to enable and configure the certificate and VPN profiles.

About the author

Randolph Graham