Merge pull request #293037 from cherylmc/vwan-change-audience

denrea · web-flow · commit 15dd748e2694 · 2025-01-15T10:16:22.000-08:00
Change custom audience
diff --git a/articles/virtual-wan/TOC.yml b/articles/virtual-wan/TOC.yml
@@ -212,6 +212,8 @@
           href: point-to-site-entra-gateway.md
         - name: Configure P2S - manually registered VPN client
           href: virtual-wan-point-to-site-azure-ad.md
+        - name: Create or modify custom audience app ID
+          href: point-to-site-entra-register-custom-app.md
         - name: Configure a tenant
           href: openvpn-azure-ad-tenant.md
         - name: Configure multifactor authentication (MFA)
diff --git a/articles/virtual-wan/point-to-site-entra-gateway.md b/articles/virtual-wan/point-to-site-entra-gateway.md
@@ -17,7 +17,7 @@ ms.author: cherylmc
 This article helps you configure point-to-site User VPN connection to Virtual WAN that uses Microsoft Entra ID authentication and the new Microsoft-registered Azure VPN Client App ID.
 
 > [!NOTE]
-> The steps in this article apply to Microsoft Entra ID authentication using the new Microsoft-registered Azure VPN Client App ID and associated Audience values. This article doesn't apply to the older, manually registered Azure VPN Client app for your tenant. For the manually registered Azure VPN Client steps, see [Configure P2S using manually registered VPN client](virtual-wan-point-to-site-azure-ad.md).
+> The steps in this article apply to Microsoft Entra ID authentication using the new Microsoft-registered Azure VPN Client App ID and associated Audience values. This article doesn't apply to the older, manually registered Azure VPN Client app for your tenant. For the manually registered Azure VPN Client steps, see [Configure P2S User VPN using manually registered VPN client](virtual-wan-point-to-site-azure-ad.md).
 
 [!INCLUDE [About Microsoft-registered app](../../includes/virtual-wan-entra-app-id-descriptions.md)]
 
@@ -48,6 +48,8 @@ Verify that you've met the following criteria before beginning your configuratio
 
 * You need a Microsoft Entra ID tenant for this configuration. If you don't have one, you can create one by following the instructions in [Create a new tenant](/entra/fundamentals/create-new-tenant).
 
+* If you want to use a custom audience value, see [Create or modify custom audience app ID](point-to-site-entra-register-custom-app.md).
+
 ## <a name="wan"></a>Create a virtual WAN
 
 From a browser, navigate to the [Azure portal](https://portal.azure.com) and sign in with your Azure account.
diff --git a/articles/virtual-wan/point-to-site-entra-register-custom-app.md b/articles/virtual-wan/point-to-site-entra-register-custom-app.md
@@ -0,0 +1,55 @@
+---
+title: Create custom app ID for P2S VPN Microsoft Entra ID authentication
+titleSuffix: Azure Virtual WAN
+description: Learn how to create or modify a custom audience App ID or upgrade an existing custom App ID to the new Microsoft-registered Azure VPN Client app values for Azure Virtual WAN.
+author: cherylmc
+ms.service: azure-virtual-wan
+ms.topic: concept-article
+ms.date: 01/14/2025
+ms.author: cherylmc
+---
+
+# Create or modify a custom audience app ID for User VPN Microsoft Entra ID authentication
+
+The steps in this article help you create a Microsoft Entra ID custom App ID (custom audience) for the new Microsoft-registered Azure VPN Client for User VPN point-to-site (P2S) connections. You can also update your existing tenant to [change the new Microsoft-registered Azure VPN Client app](#change) from the previous Azure VPN Client app.
+
+When you configure a custom audience app ID, you can use any of the supported values associated with the Azure VPN Client app. We recommend that you associate the Microsoft-registered App ID Azure Public audience value `c632b3df-fb67-4d84-bdcf-b95ad541b5c8` to your custom app when possible. For the full list of supported values, see the [Azure VPN Client Audience values table](point-to-site-entra-gateway.md).
+
+This article provides high-level steps. The screenshots to register an application might be slightly different, depending on the way you access the user interface, but the settings are the same. For more information, see [Quickstart: Register an application](/entra/identity-platform/quickstart-register-app).
+
+## Prerequisites
+
+* This article assumes that you already have a Microsoft Entra tenant and the permissions to create an Enterprise Application, typically the [Cloud Application Administrator role](/entra/identity/role-based-access-control/permissions-reference#cloud-application-administrator) or higher. For more information, see [Create a new tenant in Microsoft Entra ID](/entra/fundamentals/create-new-tenant) and [Assign user roles with Microsoft Entra ID](/entra/fundamentals/users-assign-role-azure-portal).
+
+* This article assumes that you're using the **Microsoft-registered App ID Azure Public** audience value `c632b3df-fb67-4d84-bdcf-b95ad541b5c8` to configure your custom app. This value has global consent, which means you don't need to manually register it to provide consent for your organization. We recommend that you use this value.
+
+  * At this time, there's only one supported audience value for the Microsoft-registered app. See the [supported audience value table](../vpn-gateway/point-to-site-about.md#entra-id) for additional supported values.
+
+  * If the Microsoft-registered audience value isn't compatible with your configuration, you can still use the older manually registered ID values.
+
+* If you need to use a manually registered app ID value instead, you must give consent to allow the app to sign in and read user profiles before proceeding with this configuration. You must sign in with an account that's assigned the [Cloud Application Administrator role](/entra/identity/role-based-access-control/permissions-reference#cloud-application-administrator).
+
+  1. To grant admin consent for your organization, modify the following command to contain the desired `client_id` value. In the example, the client_id value is for Azure Public. See the [table](../vpn-gateway/point-to-site-about.md#entra-id) for additional supported values.
+
+     ```https://login.microsoftonline.com/common/oauth2/authorize?client_id=41b23e61-6c1e-4545-b367-cd054e0ed4b4&response_type=code&redirect_uri=https://portal.azure.com&nonce=1234&prompt=admin_consent```
+
+  1. Copy and paste the URL that pertains to your deployment location in the address bar of your browser.
+  1. Select the account that has the [Cloud Application Administrator role](/entra/identity/role-based-access-control/permissions-reference#cloud-application-administrator) if prompted.
+  1. On the **Permissions** requested page, select **Accept**.
+
+[!INCLUDE [Configure custom audience](../../includes/vpn-gateway-custom-audience.md)]
+
+## Configure the gateway
+
+After you've completed the steps in the previous sections, continue to [Configure Virtual WAN User VPN for Microsoft Entra ID authentication - Microsoft-registered app](point-to-site-entra-gateway.md).
+
+## <a name="change"></a>Update to Microsoft-registered VPN app Client ID
+
+> [!NOTE]
+> These steps can be used for any of the supported values associated with the Azure VPN Client app. We recommend that you associate the Microsoft-registered App ID Azure Public audience value `c632b3df-fb67-4d84-bdcf-b95ad541b5c8` to your custom app when possible.
+
+[!INCLUDE [Change custom audience](../../includes/vpn-gateway-custom-audience-change.md)]
+
+## Next steps
+
+[Configure Virtual WAN P2S User VPN for Microsoft Entra ID authentication - Microsoft-registered app](point-to-site-entra-gateway.md).
diff --git a/articles/virtual-wan/virtual-wan-point-to-site-azure-ad.md b/articles/virtual-wan/virtual-wan-point-to-site-azure-ad.md
@@ -7,7 +7,7 @@ author: cherylmc
 
 ms.service: azure-virtual-wan
 ms.topic: how-to
-ms.date: 09/24/2024
+ms.date: 01/15/2025
 ms.author: cherylmc 
 
 #Audience ID values are not sensitive data.
@@ -17,6 +17,11 @@ ms.author: cherylmc
 
 This article shows you how to use Virtual WAN to connect to your resources in Azure. In this article, you create a point-to-site User VPN connection to Virtual WAN that uses Microsoft Entra authentication. Microsoft Entra authentication is only available for gateways that use the OpenVPN protocol.
 
+> [!NOTE]
+> Instead of using the steps in this article, we recommend that you use the new [Microsoft-registered Azure VPN Client App ID](point-to-site-entra-gateway.md) article for your User VPN configuration when possible.
+
+[!INCLUDE [About Microsoft-registered app](../../includes/virtual-wan-entra-app-id-descriptions.md)]
+
 [!INCLUDE [OpenVPN note](../../includes/vpn-gateway-openvpn-auth-include.md)]
 
 In this article, you learn how to:
