Merge pull request #294394 from cherylmc/audience

audience

Author: ttorble

articles/virtual-wan/point-to-site-entra-gateway-update.md

@@ -5,7 +5,7 @@ description: Learn how to update Audience values for User VPN (P2S) gateway conn
 author: cherylmc
 ms.service: azure-virtual-wan
 ms.topic: how-to
-ms.date: 02/07/2025
+ms.date: 02/10/2025
 ms.author: cherylmc
 
 # Customer intent: As an VPN Gateway administrator, I want to update point-to-site Audience values for Microsoft Entra ID authentication.
@@ -19,7 +19,7 @@ The following table shows the available supported Audience values.
 
 [!INCLUDE [Audience values](../../includes/vpn-gateway-entra-audience-values.md)]
 
-The examples in this article use the new Audience value for Azure Public. This article doesn't apply to **custom Audience** value configurations. To modify a custom audience app ID, see [Create or modify a custom audience app ID for P2S VPN Microsoft Entra ID authentication](point-to-site-entra-register-custom-app.md#change).
+This article doesn't apply to **custom Audience** value configurations. To modify a custom audience app ID, see [Create or modify a custom audience app ID for P2S VPN Microsoft Entra ID authentication](point-to-site-entra-register-custom-app.md#change).
 
 ## Workflow
 
@@ -38,7 +38,7 @@ When you update audience values on an existing gateway, you incur fewer than 5 m
 
 1. On the **User VPN configurations** page, select the configuration, then click **Edit configuration**.
 
-1. On the **Edit configuration** page, go to the **Azure Active Directory** page, which is used to configure the Microsoft Entra ID values. Change the **Audience** value to the new version. For example, the new Azure Public aduence value for the Microsoft-registerd Azure VPN Client is: **c632b3df-fb67-4d84-bdcf-b95ad541b5c8**.
+1. On the **Edit configuration** page, go to the **Azure Active Directory** page, which is used to configure the Microsoft Entra ID values. Change the **Audience** value to:  **c632b3df-fb67-4d84-bdcf-b95ad541b5c8**.
 
 1. Leave the other settings the same, unless you have changed tenants and need to change the tenant IDs. If you update the Issuer field, take care to include the trailing slash at the end. For more information about each of the fields, see [User configuration](point-to-site-entra-gateway.md#user-config) values.
 1. Once you finish configuring settings, click **Review + create** to save your settings.

articles/vpn-gateway/point-to-site-about.md

@@ -6,7 +6,7 @@ author: cherylmc
 ms.service: azure-vpn-gateway
 ms.custom: linux-related-content
 ms.topic: concept-article
-ms.date: 09/18/2024
+ms.date: 02/10/2025
 ms.author: cherylmc
 ---
 # About Point-to-Site VPN

articles/vpn-gateway/point-to-site-entra-gateway-update.md

@@ -5,7 +5,7 @@ description: Learn how to update Audience values for P2S VPN gateway connections
 author: cherylmc
 ms.service: azure-vpn-gateway
 ms.topic: how-to
-ms.date: 08/06/2024
+ms.date: 02/10/2025
 ms.author: cherylmc
 
 # Customer intent: As an VPN Gateway administrator, I want to update point-to-site Audience values for Microsoft Entra ID authentication.
@@ -19,7 +19,7 @@ The following table shows the available supported Audience values.
 
 [!INCLUDE [Audience values](../../includes/vpn-gateway-entra-audience-values.md)]
 
-The examples in this article use the new Audience value for Azure Public. This article doesn't apply to **custom Audience** value configurations. To modify a custom audience app ID, see [Create or modify a custom audience app ID for P2S VPN Microsoft Entra ID authentication](point-to-site-entra-register-custom-app.md#change).
+This article doesn't apply to **custom Audience** value configurations. To modify a custom audience app ID, see [Create or modify a custom audience app ID for P2S VPN Microsoft Entra ID authentication](point-to-site-entra-register-custom-app.md#change).
 
 ## Workflow
 
@@ -38,7 +38,7 @@ When you update audience values on an existing gateway, you incur fewer than 5 m
 
    :::image type="content" source="./media/update-entra-audience/audience.png" alt-text="Screenshot showing settings for Tunnel type, Authentication type, and Microsoft Entra settings." lightbox="././media/update-entra-audience/audience.png":::
 
-1. Change the **Audience** value. For this example, we changed the Audience value to the Azure Public value for the Microsoft-registered Azure VPN Client; **c632b3df-fb67-4d84-bdcf-b95ad541b5c8**.
+1. Change the **Audience** value to: **c632b3df-fb67-4d84-bdcf-b95ad541b5c8**.
 1. Leave the other settings the same, unless you have changed tenants and need to change the tenant IDs. If you update the Issuer field, take care to include the trailing slash at the end. For more information about each of the fields, see [Microsoft Entra ID](point-to-site-entra-gateway.md#configure-vpn) values.
 1. Once you finish configuring settings, click **Save** at the top of the page.
 1. The new settings save to the P2S gateway and the gateway updates. This takes about 5 minutes to complete.

articles/vpn-gateway/point-to-site-entra-gateway.md

@@ -6,14 +6,14 @@ author: cherylmc
 ms.service: azure-vpn-gateway
 ms.custom: linux-related-content
 ms.topic: how-to
-ms.date: 11/04/2024
+ms.date: 02/10/2025
 ms.author: cherylmc
 # Customer intent: As an VPN Gateway administrator, I want to configure point-to-site to allow Microsoft Entra ID authentication using the Microsoft-registered Azure VPN Client APP ID.
 ---
 
 # Configure P2S VPN Gateway for Microsoft Entra ID authentication – Microsoft-registered app
 
-This article helps you configure your point-to-site (P2S) VPN gateway for Microsoft Entra ID authentication using the new Microsoft-registered Azure VPN Client App ID. 
+This article helps you configure your point-to-site (P2S) VPN gateway for Microsoft Entra ID authentication using the new Microsoft-registered Azure VPN Client App ID.
 
 > [!NOTE]
 > The steps in this article apply to Microsoft Entra ID authentication using the new Microsoft-registered Azure VPN Client App ID and associated Audience values. This article doesn't apply to the older, manually registered Azure VPN Client app for your tenant. For the manually registered Azure VPN Client steps, see [Configure P2S using manually registered VPN client](openvpn-azure-ad-tenant.md).
@@ -75,11 +75,14 @@ This article assumes the following prerequisites:
 
    * **Tenant:** TenantID for the Microsoft Entra ID tenant. Enter the tenant ID that corresponds to your configuration. Make sure the Tenant URL doesn't have a `\` (backslash) at the end. Forward slash is permissible.
 
-      * Azure Public: `https://login.microsoftonline.com/{Microsoft ID Entra Tenant ID}`
+     * Azure Public: `https://login.microsoftonline.com/{TenantID}`
+     * Azure Government: `https://login.microsoftonline.us/{TenantID}`
+     * Azure Germany: `https://login-us.microsoftonline.de/{TenantID}`
+     * China 21Vianet: `https://login.chinacloudapi.cn/{TenantID}`
 
    * **Audience**: The corresponding value for the Microsoft-registered Azure VPN Client App ID. [Custom audience](point-to-site-entra-register-custom-app.md) is also supported for this field.
 
-     * Azure Public: `c632b3df-fb67-4d84-bdcf-b95ad541b5c8`
+     * `c632b3df-fb67-4d84-bdcf-b95ad541b5c8`
 
    * **Issuer**: URL of the Secure Token Service. Include a trailing slash at the end of the **Issuer** value. Otherwise, the connection might fail. Example:
 

articles/vpn-gateway/point-to-site-entra-vpn-client-mac.md

@@ -4,7 +4,7 @@ description: Learn how to configure macOS client computers to connect to Azure u
 author: cherylmc
 ms.service: azure-vpn-gateway
 ms.topic: how-to
-ms.date: 10/15/2024
+ms.date: 02/10/2025
 ms.author: cherylmc
 ---
 
@@ -58,7 +58,7 @@ Locate and unzip the VPN client profile configuration package you generated and
 1. On this screen, notice the connection values are populated using the values in the imported VPN client configuration file.
 
    * Verify that the **Certificate Information** value shows **DigiCert Global Root G2**, rather than the default or blank. Adjust the value if necessary.
-   * Notice the Client Authentication values align with the values that were used to configure the VPN gateway for Microsoft Entra ID authentication. The Audience value in this example aligns with the Microsoft-registered App ID for Azure Public. If your P2S gateway is configured for a different Audience value, this field must reflect that value.
+   * Notice the Client Authentication values align with the values that were used to configure the VPN gateway for Microsoft Entra ID authentication. This field must reflect the same value that your gateway is configured to use.
 
    :::image type="content" source="media/point-to-site-entra-vpn-client-mac/values.png" alt-text="Screenshot of Azure VPN Client saving the imported profile settings." lightbox="media/point-to-site-entra-vpn-client-mac/values.png":::
 
@@ -94,7 +94,7 @@ You can remove the VPN connection profile from your computer.
 1. Open the Azure VPN Client.
 1. Select the VPN connection that you want to remove, then click **Remove**.
 
-## Optional Azure VPN Client configuration settings
+## Optional client configuration settings
 
 You can configure the Azure VPN Client with optional configuration settings such as additional DNS servers, custom DNS, forced tunneling, custom routes, and other additional settings. For a description of the available optional settings and configuration steps, see [Azure VPN Client optional settings](azure-vpn-client-optional-configurations.md).
 

articles/vpn-gateway/point-to-site-entra-vpn-client-windows.md

@@ -5,7 +5,7 @@ titleSuffix: Azure VPN Gateway
 author: cherylmc
 ms.service: azure-vpn-gateway
 ms.topic: how-to
-ms.date: 02/07/2025
+ms.date: 02/10/2025
 ms.author: cherylmc
 
 #Audience and custom App ID values are not sensitive data. Please do not remove. They are required for the configuration.
@@ -57,7 +57,7 @@ After you obtain the VPN client profile configuration package, extract the zip f
 
 1. On the client profile page, notice that many of the settings are already specified. The preconfigured settings are contained in the VPN client profile package that you imported. Even though most of the settings are already specified, you need to configure settings specific to the client computer.
 
-1. Change the name of the Connection name (optional). In this example, notice that the Audience value shown is the new Azure Public value associated to the Microsoft-registered Azure VPN Client App ID. The value in this field must match the value that your P2S VPN gateway is configured to use.
+1. Change the name of the Connection name (optional). In this example, notice that the Audience value shown is the value that's associated to the Microsoft-registered Azure VPN Client App ID. The value in this field must match the value that your P2S VPN gateway is configured to use.
 
    :::image type="content" source="./media/point-to-site-entra-vpn-client-windows/connection-properties.png" alt-text="Screenshot shows Save the profile." lightbox="./media/point-to-site-entra-vpn-client-windows/connection-properties.png":::
 

includes/virtual-wan-entra-app-id-descriptions.md

@@ -1,7 +1,7 @@
 ---
 author: cherylmc
 ms.author: cherylmc
-ms.date: 01/14/2025
+ms.date: 02/10/2025
 ms.service: azure-vpn-gateway
 ms.custom: linux-related-content
 ms.topic: include
@@ -16,8 +16,6 @@ When possible, we recommend that you configure new P2S User VPN gateways using t
 
 * A P2S User VPN gateway can only support one Audience value. It can't support multiple Audience values simultaneously.
 
-* At this time, the newer Microsoft-registered App ID doesn't support as many Audience values as the older, manually registered app. If you need an Audience value for anything other than Azure Public or Custom, use the older manually registered method and values.
-
 * The Azure VPN Client for Linux isn't backward compatible with P2S gateways configured to use the older Audience values that align with the manually registered app. However, the Azure VPN Client for Linux does support Custom Audience values.
 
 * [!INCLUDE [Supported versions](vpn-gateway-azure-vpn-client-linux-supported-releases.md)]

includes/vpn-gateway-azure-vpn-client-linux-supported-releases.md

@@ -1,7 +1,7 @@
 ---
 ms.author: cherylmc
 author: cherylmc
-ms.date: 06/05/2024
+ms.date: 02/10/2025
 ms.service: azure-vpn-gateway
 ms.custom: linux-related-content
 ms.topic: include

includes/vpn-gateway-entra-app-id-descriptions.md

@@ -1,7 +1,7 @@
 ---
 author: cherylmc
 ms.author: cherylmc
-ms.date: 01/16/2025
+ms.date: 02/10/2025
 ms.service: azure-vpn-gateway
 ms.custom: linux-related-content
 ms.topic: include
@@ -10,16 +10,14 @@ VPN Gateway now supports a new Microsoft-registered App ID and corresponding Aud
 
 Previously, you were required to manually register (integrate) the Azure VPN Client app with your Microsoft Entra tenant. Registering the client app creates an App ID representing the identity of the Azure VPN Client application and requires authorization using the Global Administrator role. To better understand the difference between the types of application objects, see [How and why applications are added to Microsoft Entra ID](/entra/identity-platform/how-applications-are-added).
 
-When possible, we recommend that you configure new P2S gateways using the Microsoft-registered Azure VPN client App ID and its corresponding Audience values, instead of manually registering the Azure VPN Client app with your tenant. If you have a previously configured Azure VPN gateway that uses Microsoft Entra ID authentication, you can update the gateway and clients to take advantage of the new Microsoft-registered App ID. Updating the P2S gateway with the new Audience value is required if you want Linux clients to connect. The Azure VPN Client for Linux isn't backward compatible with the older Audience values. 
+When possible, we recommend that you configure new P2S gateways using the Microsoft-registered Azure VPN client App ID and its corresponding Audience values, instead of manually registering the Azure VPN Client app with your tenant. If you have a previously configured Azure VPN gateway that uses Microsoft Entra ID authentication, you can update the gateway and clients to take advantage of the new Microsoft-registered App ID. Updating the P2S gateway with the new Audience value is required if you want Linux clients to connect. The Azure VPN Client for Linux isn't backward compatible with the older Audience values.
 
 If you have an existing P2S gateway that you want to update to use a new Audience value, see [Change Audience for a P2S VPN gateway](../articles/vpn-gateway/point-to-site-entra-gateway-update.md). If you want to create or modify a custom Audience value, see [Create a custom audience app ID for P2S VPN](../articles/vpn-gateway/point-to-site-entra-register-custom-app.md). If you want to configure or restrict access to P2S based on users and groups, see [Scenario: Configure P2S VPN access based on users and groups](../articles/vpn-gateway/point-to-site-entra-users-access.md).
 
 **Considerations**
 
 * A P2S VPN gateway can only support one Audience value. It can't support multiple Audience values simultaneously.
 
-* At this time, the newer Microsoft-registered App ID doesn't support as many Audience values as the older, manually registered app. If you need an Audience value for anything other than Azure Public or Custom, use the older manually registered method and values.
-
 * The Azure VPN Client for Linux isn't backward compatible with P2S gateways configured to use the older Audience values that align with the manually registered app. However, the Azure VPN Client for Linux does support Custom Audience values.
 
 * [!INCLUDE [Supported versions](vpn-gateway-azure-vpn-client-linux-supported-releases.md)]

includes/vpn-gateway-entra-audience-values.md

@@ -1,13 +1,13 @@
 ---
 author: cherylmc
 ms.author: cherylmc
-ms.date: 07/24/2024
+ms.date: 02/10/2025
 ms.service: azure-vpn-gateway
 ms.topic: include
 ---
 
 |App ID | Supported Audience values| Supported clients|
 |---|---|---|
-|Microsoft-registered | - Azure Public: `c632b3df-fb67-4d84-bdcf-b95ad541b5c8` |- Linux<br>- Windows<br>- macOS |
+|Microsoft-registered | This audience value applies to Azure Public, Azure Government, Azure Germany, and Microsoft Azure operated by 21Vianet: <br> `c632b3df-fb67-4d84-bdcf-b95ad541b5c8` |- Linux<br>- Windows<br>- macOS |
 |Manually registered | - Azure Public: `41b23e61-6c1e-4545-b367-cd054e0ed4b4`<br>- Azure Government: `51bb15d4-3a4f-4ebf-9dca-40096fe32426`<br>- Azure Germany: `538ee9e6-310a-468d-afef-ea97365856a9`<br>- Microsoft Azure operated by 21Vianet: `49f817b6-84ae-4cc0-928c-73f27289b3aa` | - Windows<br> - macOS|
 |Custom | `<custom-app-id>` | - Linux<br>- Windows<br> - macOS |