Merge pull request #97667 from anzaman/master

Azure AD - howto articles

Author: megvanhuygen

articles/virtual-wan/TOC.yml

@@ -40,6 +40,10 @@
     href: virtual-wan-custom-ipsec-portal.md
   - name: Configure certificates for User VPN (point-to-site)
     href: certificates-point-to-site.md
+  - name: Configure Azure AD tenant for User VPN
+    href: openvpn-azure-ad-tenant.md
+  - name: Enable Multi-Factor Authentication(MFA) for User VPN
+    href: openvpn-azure-ad-mfa.md   
   - name: Configure Azure AD authentication for User VPN (Preview)
     href: virtual-wan-point-to-site-azure-ad.md
   - name: Configure automation (Virtual WAN partners)

articles/virtual-wan/media/openvpn-azure-ad-mfa/mfa1.jpg

@@ -0,0 +1,55 @@
+---
+title: 'Enable MFA for VPN users: Azure AD authentication'
+description: Enable multi-factor authentication for VPN users
+services: vpn-gateway
+author: anzaman
+
+ms.service: vpn-gateway
+ms.topic: conceptual
+ms.date: 11/21/2019
+ms.author: alzam
+
+---
+# Enable Azure Multi-Factor Authentication (MFA) for VPN users
+
+If you want users to be prompted for a second factor of authentication before granting access, you can configure Azure Multi-Factor Authentication (MFA) for your Azure AD tenant. The steps in this article help you enable a requirement for two-step verification.
+
+## <a name="prereq"></a>Prerequisite
+
+The prerequisite for this configuration is a configured Azure AD tenant using the steps in [Configure a tenant](openvpn-azure-ad-tenant.md).
+
+## <a name="mfa"></a>Open the MFA page
+
+1. Sign in to the Azure portal.
+2. Navigate to **Azure Active Directory -> All users**.
+3. Select **Multi-Factor Authentication** to open the multi-factor authentication page.
+
+   ![Sign in](./media/openvpn-azure-ad-mfa/mfa1.jpg)
+
+## <a name="users"></a> Select users
+
+1. On the **multi-factor authentication** page, select the user(s) for which you want to enable MFA.
+2. Select **Enable**.
+
+   ![Select](./media/openvpn-azure-ad-mfa/mfa2.jpg)
+
+## <a name="enableauth"></a>Enable authentication
+
+1. Navigate to **Azure Active Directory  -> Enterprise applications -> All applications**.
+2. On the **Enterprise applications - All applications** page, select **Azure VPN**.
+
+   ![Directory ID](./media/openvpn-azure-ad-mfa/user1.jpg)
+
+## <a name="enablesign"></a> Configure sign-in settings
+
+On the **Azure VPN - Properties** page, configure sign-in settings.
+
+1. Set **Enabled for users to sign-in?** to **Yes**. This allows all users in the AD tenant to connect to the VPN successfully.
+2. Set **User assignment required?** to **Yes** if you want to limit sign-in to only users that have permissions to the Azure VPN.
+3. Save your changes.
+
+   ![Permissions](./media/openvpn-azure-ad-mfa/user2.jpg)
+
+## Next steps
+
+To connect to your virtual network, you must create and configure a VPN client profile. See [Configure Azure AD authentication for Point-to-Site connection to Azure](virtual-wan-point-to-site-azure-ad.md).

articles/virtual-wan/media/openvpn-azure-ad-mfa/mfa2.jpg

@@ -0,0 +1,116 @@
+---
+title: 'VPN Gateway: Azure AD tenant for P2S VPN connections: Azure AD authentication'
+description: You can use P2S VPN to connect to your VNet using Azure AD authentication
+services: vpn-gateway
+author: anzaman
+
+ms.service: vpn-gateway
+ms.topic: conceptual
+ms.date: 11/13/2019
+ms.author: alzam
+
+---
+# Create an Azure Active Directory tenant for P2S OpenVPN protocol connections
+
+When connecting to your VNet, you can use certificate-based authentication or RADIUS authentication. However, when you use the Open VPN protocol, you can also use Azure Active Directory authentication. This article helps you set up an Azure AD tenant for P2S Open VPN authentication.
+
+> [!NOTE]
+> Azure AD authentication is supported only for OpenVPN® protocol connections.
+>
+
+## <a name="tenant"></a>1. Create the Azure AD tenant
+
+Create an Azure AD tenant using the steps in the [Create a new tenant](../active-directory/fundamentals/active-directory-access-create-new-tenant.md) article:
+
+* Organizational name
+* Initial domain name
+
+Example:
+
+   ![New Azure AD tenant](./media/openvpn-create-azure-ad-tenant/newtenant.png)
+
+## <a name="users"></a>2. Create Azure AD tenant users
+
+Next, create two user accounts. Create one Global Admin account and one master user account. The master user account is used as your master embedding account (service account). When you create an Azure AD tenant user account, you adjust the Directory role for the type of user that you want to create.
+
+Use the steps in [this article](../active-directory/fundamentals/add-users-azure-active-directory.md) to create at least two users for your Azure AD tenant. Be sure to change the **Directory Role** to create the account types:
+
+* Global Admin
+* User
+
+## <a name="enable-authentication"></a>3. Enable Azure AD authentication on the VPN gateway
+
+1. Locate the Directory ID of the directory that you want to use for authentication. It is listed in the properties section of the Active Directory page.
+
+    ![Directory ID](./media/openvpn-create-azure-ad-tenant/directory-id.png)
+
+2. Copy the Directory ID.
+
+3. Sign in to the Azure portal as a user that is assigned the **Global administrator** role.
+
+4. Next, give admin consent. Copy and paste the URL that pertains to your deployment location in the address bar of your browser:
+
+    Public
+
+    ```
+    https://login.microsoftonline.com/common/oauth2/authorize?client_id=41b23e61-6c1e-4545-b367-cd054e0ed4b4&response_type=code&redirect_uri=https://portal.azure.com&nonce=1234&prompt=admin_consent
+    ````
+
+    Azure Government
+
+    ```
+    https://login-us.microsoftonline.com/common/oauth2/authorize?client_id=51bb15d4-3a4f-4ebf-9dca-40096fe32426&response_type=code&redirect_uri=https://portal.azure.us&nonce=1234&prompt=admin_consent
+    ````
+
+    Microsoft Cloud Germany
+
+    ```
+    https://login-us.microsoftonline.de/common/oauth2/authorize?client_id=538ee9e6-310a-468d-afef-ea97365856a9&response_type=code&redirect_uri=https://portal.microsoftazure.de&nonce=1234&prompt=admin_consent
+    ````
+
+    Azure China 21Vianet
+
+    ```
+    https://https://login.chinacloudapi.cn/common/oauth2/authorize?client_id=49f817b6-84ae-4cc0-928c-73f27289b3aa&response_type=code&redirect_uri=https://portal.azure.cn&nonce=1234&prompt=admin_consent
+    ```
+
+5. Select the **Global Admin** account if prompted.
+
+    ![Directory ID](./media/openvpn-create-azure-ad-tenant/pick.png)
+
+6. Select **Accept** when prompted.
+
+    ![Accept](./media/openvpn-create-azure-ad-tenant/accept.jpg)
+
+7. Under your Azure AD, in **Enterprise applications**, you see **Azure VPN** listed.
+
+    ![Azure VPN](./media/openvpn-create-azure-ad-tenant/azurevpn.png)
+
+8. Enable Azure AD authentication on the VPN gateway by running the following commands, being sure to modify the command to reflect your own environment:
+
+    ```azurepowershell-interactive
+    $gw = Get-AzVirtualNetworkGateway -Name <name of VPN gateway> -ResourceGroupName <Resource group>
+    Set-AzVirtualNetworkGateway -VirtualNetworkGateway $gw -VpnClientRootCertificates @()
+    Set-AzVirtualNetworkGateway -VirtualNetworkGateway $gw -AadTenantUri "https://login.microsoftonline.com/<your Directory ID>" -AadAudienceId "41b23e61-6c1e-4545-b367-cd054e0ed4b4" -AadIssuerUri "https://sts.windows.net/<your Directory ID>/"
+    ```
+
+9. Create and download the profile by running the following commands. Change the -ResourcGroupName and -Name values to match your own.
+
+    ```azurepowershell-interactive
+    $profile = New-AzVpnClientConfiguration -Name <name of VPN gateway> -ResourceGroupName <Resource group> -AuthenticationMethod "EapTls"
+    $PROFILE.VpnProfileSASUrl
+    ```
+
+10. After running the commands, you see a result similar to the one below. Copy the result URL to your browser to download the profile zip file.
+
+    ![Azure VPN](./media/openvpn-create-azure-ad-tenant/profile.png)
+
+11. Extract the downloaded zip file.
+
+12. Browse to the unzipped “AzureVPN” folder.
+
+13. Make a note of the location of the “azurevpnconfig.xml” file. The azurevpnconfig.xml contains the setting for the VPN connection and can be imported directly into the Azure VPN Client application. You can also distribute this file to all the users that need to connect via e-mail or other means. The user will need valid Azure AD credentials to connect successfully.
+
+## Next steps
+
+In order to connect to your virtual network, you must create and configure a VPN client profile. See [Configure Azure AD authentication for Point-to-Site connection to Azure](virtual-wan-point-to-site-azure-ad.md).