Microsoft Tunnel: A Comprehensive Guide to It’s Capabilities

Overview of Microsoft Tunnel

Microsoft Tunnel is a robust VPN gateway solution for Microsoft Intune, designed to facilitate secure access to on-premises resources from iOS/iPadOS and Android Enterprise devices. This blog post will delve into the core capabilities of Microsoft Tunnel, providing a comprehensive overview of its architecture, deployment, and benefits.

Microsoft Tunnel operates in a container on a Linux server, which can be either a physical box in your on-premises environment or a virtual machine running on-premises or in the cloud. It supports modern authentication and Conditional Access, ensuring secure and controlled access to your on-premises resources.

Architecture and Deployment

The Microsoft Tunnel Gateway installs onto a container running on a Linux server. To configure the Tunnel, you deploy a Microsoft Defender for Endpoint as the Microsoft Tunnel client app, and Intune VPN profiles to your iOS and Android devices. The client app and VPN profile enable devices to use the tunnel to connect to corporate resources.

The Microsoft Tunnel Gateway Architecture:

Microsoft Tunnel Gateway Architecture.


  • A – Microsoft Intune.
  • B – Microsoft Entra ID.
  • C – Linux server with Podman or Docker CE
    • C.1 – Microsoft Tunnel Gateway.
    • C.2 – Management Agent.
    • C.3 – Authentication plugin – Authorization plugin, which authenticates with Microsoft Entra.
  • D – Public facing IP or FQDN of the Microsoft Tunnel, which can represent a load balancer.
  • E – Mobile Device Management (MDM) enrolled device or an unenrolled mobile device using Tunnel for Mobile Application Management.
  • F – Firewall
  • G – Internal Proxy Server (optional).
  • H – Corporate Network.
  • I –-Public internet.


  • 1 – Intune administrator configures Server configurations and Sites, Server configurations are associated with Sites.
  • 2 – Intune administrator installs Microsoft Tunnel Gateway and the authentication plugin authenticates Microsoft Tunnel Gateway with Microsoft Entra. Microsoft Tunnel Gateway server is assigned to a site.
  • 3 – Management Agent communicates to Intune to retrieve your server configuration policies, and to send telemetry logs to Intune.
  • 4 – Intune administrator creates and deploys VPN profiles and the Defender app to devices.
  • 5 – Device authenticates to Microsoft Entra. Conditional Access policies are evaluated.
  • 6 – With split tunnel:
    • 6.a – Some traffic goes directly to the public internet.
    • 6.b – Some traffic goes to your public facing IP address for the Tunnel. The VPN channel will use TCP, TLS, UDP, and DTLS over port 443. This traffic requires inbound and outbound Firewall ports to be open.
  • 7 – The Tunnel routes traffic to your internal proxy (optional) and/or your corporate network. IT Admins must ensure that traffic from the Tunnel Gateway server internal interface can successfully route to internal corporate resource (IP address ranges and ports).

When the tunnel is hosted in the cloud, you need to use a solution like Azure ExpressRoute to extend your on-premises network to the cloud. Through the Microsoft Intune admin center, you can download the Microsoft Tunnel installation script, configure aspects of Microsoft Tunnel Gateway like IP addresses, DNS servers, and ports, and deploy VPN profiles and the Microsoft Defender for Endpoint app to your devices.

Authentication and Conditional Access

Microsoft Tunnel supports single sign-on features and Azure Active Directory (AD) Conditional Access policies. iOS/iPadOS and Android Enterprise devices use Microsoft Entra ID or Active Directory Federation Services (AD FS) to authenticate to the tunnel. The devices are evaluated against your Conditional Access policies, and if the device isn’t compliant, then it can’t access your VPN server or your on-premises network.

Microsoft Tunnel for Mobile Application Management (MAM)

Microsoft Tunnel for MAM extends the Microsoft Tunnel VPN gateway to support devices that run Android or iOS, and that aren’t enrolled with Microsoft Intune. It provides convenience for end users, who can use one device for work and personal use. It does not require device enrollment, meaning corporate data can still be protected without the need for end-users to give IT control over their personal device should they not want to.


Microsoft Tunnel is a powerful tool that offers secure, controlled access to on-premises resources. Its integration with Microsoft 365, support for modern authentication and Conditional Access, and extension to non-enrolled devices make it a versatile solution for today’s diverse and mobile workforce.

For more detailed information on how to install and configure Microsoft Tunnel, you can refer to the official Microsoft Learn documentation.

About the author