Merge pull request #104535 from cherylmc/vpnvwan2

v-albemi · web-flow · commit 330b8873054d · 2020-02-18T15:09:08.000-08:00
Vpnvwan2
diff --git a/articles/virtual-wan/openvpn-azure-ad-mfa.md b/articles/virtual-wan/openvpn-azure-ad-mfa.md
@@ -12,23 +12,23 @@ ms.author: alzam
 ---
 # Enable Azure Multi-Factor Authentication (MFA) for VPN users
 
-If you want users to be prompted for a second factor of authentication before granting access, you can configure Azure Multi-Factor Authentication (MFA) for your Azure AD tenant. The steps in this article help you enable a requirement for two-step verification.
+[!INCLUDE [overview](../../includes/vpn-gateway-vwan-openvpn-enable-mfa-overview.md)]
 
-## <a name="prereq"></a>Prerequisite
+## <a name="enableauth"></a>Enable authentication
 
-The prerequisite for this configuration is a configured Azure AD tenant using the steps in [Configure a tenant](openvpn-azure-ad-tenant.md).
+[!INCLUDE [enable authentication](../../includes/vpn-gateway-vwan-openvpn-enable-auth.md)]
 
-[!INCLUDE [MFA steps](../../includes/vpn-gateway-vwan-openvpn-azure-ad-mfa.md)]
+## <a name="enablesign"></a>Configure sign-in settings
 
-## <a name="enablesign"></a> Configure sign-in settings
+[!INCLUDE [sign in](../../includes/vpn-gateway-vwan-openvpn-sign-in.md)]
 
-On the **Azure VPN - Properties** page, configure sign-in settings.
+## <a name="peruser"></a>Option 1 - Per User access
 
-1. Set **Enabled for users to sign-in?** to **Yes**. This allows all users in the AD tenant to connect to the VPN successfully.
-2. Set **User assignment required?** to **Yes** if you want to limit sign-in to only users that have permissions to the Azure VPN.
-3. Save your changes.
+[!INCLUDE [per user](../../includes/vpn-gateway-vwan-openvpn-per-user.md)]
 
-   ![Permissions](./media/openvpn-azure-ad-mfa/user2.jpg)
+## <a name="conditional"></a>Option 2 - Conditional Access
+
+[!INCLUDE [conditional access](../../includes/vpn-gateway-vwan-openvpn-conditional.md)]
 
 ## Next steps
 
diff --git a/articles/vpn-gateway/openvpn-azure-ad-mfa.md b/articles/vpn-gateway/openvpn-azure-ad-mfa.md
@@ -6,47 +6,30 @@ author: anzaman
 
 ms.service: vpn-gateway
 ms.topic: conceptual
-ms.date: 11/21/2019
+ms.date: 02/14/2020
 ms.author: alzam
 
 ---
 # Enable Azure Multi-Factor Authentication (MFA) for VPN users
 
-If you want users to be prompted for a second factor of authentication before granting access, you can configure Azure Multi-Factor Authentication (MFA) on a per user basis or leverage Multi-Factor Authentication (MFA) via [Conditional Access](../active-directory/conditional-access/overview.md) for more fine-grained control. Configuring Multi-Factor Authentication per user can be enabled at no-additional cost, however when enabling MFA per user, the user will be prompted for second factor authentication against all applications tied to the Azure AD tenant. Conditional Access will allow finer grain control over how a second factor should be promoted and can allow assignment of MFA to only VPN and not other applications tied to the Azure AD tenant.
+[!INCLUDE [overview](../../includes/vpn-gateway-vwan-openvpn-enable-mfa-overview.md)]
 
 ## <a name="enableauth"></a>Enable authentication
 
-1. Navigate to **Azure Active Directory  -> Enterprise applications -> All applications**.
-2. On the **Enterprise applications - All applications** page, select **Azure VPN**.
+[!INCLUDE [enable authentication](../../includes/vpn-gateway-vwan-openvpn-enable-auth.md)]
 
-   ![Directory ID](../../includes/media/vpn-gateway-vwan-openvpn-azure-ad-mfa/user1.jpg)
+## <a name="enablesign"></a>Configure sign-in settings
 
-## <a name="enablesign"></a> Configure sign-in settings
+[!INCLUDE [sign in](../../includes/vpn-gateway-vwan-openvpn-sign-in.md)]
 
-On the **Azure VPN - Properties** page, configure sign-in settings.
+## <a name="peruser"></a>Option 1 - Per User access
 
-1. Set **Enabled for users to sign-in?** to **Yes**. This allows all users in the AD tenant to connect to the VPN successfully.
-2. Set **User assignment required?** to **Yes** if you want to limit sign-in to only users that have permissions to the Azure VPN.
-3. Save your changes.
+[!INCLUDE [per user](../../includes/vpn-gateway-vwan-openvpn-per-user.md)]
 
-   ![Permissions](./media/openvpn-azure-ad-mfa/user2.jpg)
+## <a name="conditional"></a>Option 2 - Conditional Access
 
-## Option 1 - Enable Multi-Factor Authentication (MFA) via Conditional Access
-
-Conditional Access allows for fine-grained access control on a per-application basis.  Please note that to leverage Conditional Access, you should have Azure AD Premium 1 or greater licensing applied to the users that will be subject to the Conditional Access rules.
-
-1. On the **Enterprise applications - All applications** page, select **Azure VPN**, select **Conditional Access**, and click **New policy**.
-2. Under Users and groups, on the *Include* tab check **Select users and groups**, check **Users and groups**, and select a group or set of users that should be subject for MFA.  Click **Done**.
-![Assignments](../../includes/media/vpn-gateway-vwan-openvpn-azure-ad-mfa/mfa-ca-assignments.png)
-3. Under **Grant**, check **Grant access**, check **Require multi-factor authentication**, check **Require all the selected controls**, and click the **Select** button.
-![Grant access - MFA](../../includes/media/vpn-gateway-vwan-openvpn-azure-ad-mfa/mfa-ca-grant-mfa.png)
-4. Check **On** under **Enable policy** and click the **Create** button.
-![Enable Policy](../../includes/media/vpn-gateway-vwan-openvpn-azure-ad-mfa/mfa-ca-enable-policy.png)
-
-## Option 2 - Enable Multi-Factor Authentication (MFA) per User
-
-[!INCLUDE [MFA steps](../../includes/vpn-gateway-vwan-openvpn-azure-ad-mfa.md)]
+[!INCLUDE [conditional access](../../includes/vpn-gateway-vwan-openvpn-conditional.md)]
 
 ## Next steps
 
-To connect to your virtual network, you must create and configure a VPN client profile. See [Configure a VPN client for P2S VPN connections](openvpn-azure-ad-client.md).
+To connect to your virtual network, you must create and configure a VPN client profile. See [Configure a VPN client for P2S VPN connections](openvpn-azure-ad-client.md).
diff --git a/includes/media/vpn-gateway-vwan-openvpn-sign-in/user2.jpg b/includes/media/vpn-gateway-vwan-openvpn-sign-in/user2.jpg
diff --git a/includes/vpn-gateway-vwan-openvpn-conditional.md b/includes/vpn-gateway-vwan-openvpn-conditional.md
@@ -0,0 +1,41 @@
+---
+ title: include file
+ description: include file
+ services: vpn-gateway
+ author: cherylmc
+ ms.service: vpn-gateway
+ ms.topic: include
+ ms.date: 02/14/2020
+ ms.author: cherylmc
+ ms.custom: include file
+
+ # this file is used for both virtual wan and vpn gateway. When modifying, make sure that your changes work for both environments.
+---
+Conditional Access allows for fine-grained access control on a per-application basis. In order to use Conditional Access, you should have Azure AD Premium 1 or greater licensing applied to the users that will be subject to the Conditional Access rules.
+
+1. Navigate to the **Enterprise applications - All applications** page and click **Azure VPN**.
+
+   - Click **Conditional Access**.
+   - Click **New policy** to open the **New** pane.
+2. On the **New** pane, navigate to **Assignments -> Users and groups**. On the **Users and groups ->** **Include** tab:
+
+   - Click **Select users and groups**.
+   - Check **Users and groups**.
+   - Click **Select** to select a group or set of users to be affected by MFA.
+   - Click **Done**.
+
+   ![Assignments](./media/vpn-gateway-vwan-openvpn-azure-ad-mfa/mfa-ca-assignments.png)
+3. On the **New** pane, navigate to the **Access controls -> Grant** pane:
+
+   - Click **Grant access**.
+   - Click **Require multi-factor authentication**.
+   - Click **Require all the selected controls**.
+   - Click **Select**.
+   
+   ![Grant access - MFA](./media/vpn-gateway-vwan-openvpn-azure-ad-mfa/mfa-ca-grant-mfa.png)
+4. In the **Enable policy** section:
+
+   - Select **On**.
+   - Click **Create**.
+
+   ![Enable Policy](./media/vpn-gateway-vwan-openvpn-azure-ad-mfa/mfa-ca-enable-policy.png)
diff --git a/includes/vpn-gateway-vwan-openvpn-enable-auth.md b/includes/vpn-gateway-vwan-openvpn-enable-auth.md
@@ -0,0 +1,18 @@
+---
+ title: include file
+ description: include file
+ services: vpn-gateway
+ author: cherylmc
+ ms.service: vpn-gateway
+ ms.topic: include
+ ms.date: 02/14/2020
+ ms.author: cherylmc
+ ms.custom: include file
+
+ # this file is used for both virtual wan and vpn gateway. When modifying, make sure that your changes work for both environments.
+---
+
+1. Navigate to **Azure Active Directory  -> Enterprise applications -> All applications**.
+2. On the **Enterprise applications - All applications** page, select **Azure VPN**.
+
+   ![Directory ID](./media/vpn-gateway-vwan-openvpn-azure-ad-mfa/user1.jpg)
diff --git a/includes/vpn-gateway-vwan-openvpn-enable-mfa-overview.md b/includes/vpn-gateway-vwan-openvpn-enable-mfa-overview.md
@@ -0,0 +1,18 @@
+---
+ title: include file
+ description: include file
+ services: vpn-gateway
+ author: cherylmc
+ ms.service: vpn-gateway
+ ms.topic: include
+ ms.date: 02/14/2020
+ ms.author: cherylmc
+ ms.custom: include file
+
+ # this file is used for both virtual wan and vpn gateway. When modifying, make sure that your changes work for both environments.
+---
+
+If you want users to be prompted for a second factor of authentication before granting access, you can configure Azure Multi-Factor Authentication (MFA). You can configure MFA on a per user basis, or you can leverage MFA via [Conditional Access](../articles/active-directory/conditional-access/overview.md).
+
+* MFA per user can be enabled at no-additional cost. When enabling MFA per user, the user will be prompted for second factor authentication against all applications tied to the Azure AD tenant. See [Option 1](#peruser) for steps.
+* Conditional Access allows for finer-grained control over how a second factor should be promoted. It can allow assignment of MFA to only VPN, and exclude other applications tied to the Azure AD tenant. See [Option 2](#conditional) for steps.
diff --git a/includes/vpn-gateway-vwan-openvpn-per-user.md b/includes/vpn-gateway-vwan-openvpn-per-user.md
@@ -12,17 +12,17 @@
  # this file is used for both virtual wan and vpn gateway. When modifying, make sure that your changes work for both environments.
 ---
 
-## <a name="mfa"></a>Open the MFA page
+### <a name="mfa"></a>Open the MFA page
 
 1. Sign in to the Azure portal.
 2. Navigate to **Azure Active Directory -> All users**.
 3. Select **Multi-Factor Authentication** to open the multi-factor authentication page.
 
    ![Sign in](./media/vpn-gateway-vwan-openvpn-azure-ad-mfa/mfa1.jpg)
 
-## <a name="users"></a> Select users
+### <a name="users"></a> Select users
 
-1. On the **multi-factor authentication** page, select the user(s) for which you want to enable MFA.
+1. On the **multi-factor authentication** page, select the user(s) for whom you want to enable MFA.
 2. Select **Enable**.
 
    ![Select](./media/vpn-gateway-vwan-openvpn-azure-ad-mfa/mfa2.jpg)
diff --git a/includes/vpn-gateway-vwan-openvpn-sign-in.md b/includes/vpn-gateway-vwan-openvpn-sign-in.md
@@ -0,0 +1,21 @@
+---
+ title: include file
+ description: include file
+ services: vpn-gateway
+ author: cherylmc
+ ms.service: vpn-gateway
+ ms.topic: include
+ ms.date: 02/14/2020
+ ms.author: cherylmc
+ ms.custom: include file
+
+ # this file is used for both virtual wan and vpn gateway. When modifying, make sure that your changes work for both environments.
+---
+
+On the **Azure VPN - Properties** page, configure sign-in settings.
+
+1. Set **Enabled for users to sign-in?** to **Yes**. This setting allows all users in the AD tenant to connect to the VPN successfully.
+2. Set **User assignment required?** to **Yes** if you want to limit sign-in to only users that have permissions to the Azure VPN.
+3. Save your changes.
+
+   ![Permissions](./media/vpn-gateway-vwan-openvpn-sign-in/user2.jpg)
