Merge pull request #294646 from cherylmc/1p-entra

update Entra ID note

Author: Stacyrch140

articles/virtual-wan/TOC.yml

@@ -252,9 +252,9 @@
       items:
       - name: P2S server configuration
         items:
-        - name: P2S - Microsoft-registered VPN client app
+        - name: Configure P2S - Microsoft Entra ID authentication
           href: point-to-site-entra-gateway.md
-        - name: P2S - manually registered VPN client app
+        - name: Configure P2S - manually registered VPN client
           href: virtual-wan-point-to-site-azure-ad.md
         - name: Change VPN client app to Microsoft-registered
           href: point-to-site-entra-gateway-update.md

articles/virtual-wan/point-to-site-entra-gateway.md

@@ -6,18 +6,15 @@ services: virtual-wan
 author: cherylmc
 ms.service: azure-virtual-wan
 ms.topic: how-to
-ms.date: 01/14/2025
+ms.date: 02/13/2025
 ms.author: cherylmc 
 
 #Audience ID values are not sensitive data.
 
 ---
-# Configure P2S User VPN for Microsoft Entra ID authentication – Microsoft-registered app
+# Configure a point-to-site User VPN connection - Microsoft Entra ID authentication
 
-This article helps you configure point-to-site User VPN connection to Virtual WAN that uses Microsoft Entra ID authentication and the new Microsoft-registered Azure VPN Client App ID.
-
-> [!NOTE]
-> The steps in this article apply to Microsoft Entra ID authentication using the new Microsoft-registered Azure VPN Client App ID and associated Audience values. This article doesn't apply to the older, manually registered Azure VPN Client app for your tenant. For the manually registered Azure VPN Client steps, see [Configure P2S User VPN using manually registered VPN client](virtual-wan-point-to-site-azure-ad.md).
+This article helps you configure point-to-site User VPN connection to Virtual WAN that uses Microsoft Entra ID authentication and the new **Microsoft-registered Azure VPN Client App ID**.
 
 [!INCLUDE [About Microsoft-registered app](../../includes/virtual-wan-entra-app-id-descriptions.md)]
 
@@ -73,7 +70,7 @@ A User VPN configuration defines the parameters for connecting remote clients. I
     :::image type="content" source="./media/virtual-wan-point-to-site-azure-ad/values.png" alt-text="Screenshot of the Microsoft Entra ID page." lightbox="./media/virtual-wan-point-to-site-azure-ad/values.png"::: Configure the following values:
 
    * **Azure Active Directory** - Select **Yes**.
-   * **Audience** - Enter the corresponding value for the Microsoft-registered Azure VPN Client App ID, Azure Public: `c632b3df-fb67-4d84-bdcf-b95ad541b5c8`. [Custom audience](point-to-site-entra-register-custom-app.md) is also supported for this field.
+   * **Audience** - Enter the corresponding value for the Microsoft-registered Azure VPN Client App ID: `c632b3df-fb67-4d84-bdcf-b95ad541b5c8`. [Custom audience](point-to-site-entra-register-custom-app.md) is also supported for this field.
    * **Issuer** - Enter `https://sts.windows.net/<your Directory ID>/`.
    * **AAD Tenant** - Enter the TenantID for the Microsoft Entra tenant. Make sure there isn't an `/` at the end of the Microsoft Entra tenant URL.
 

articles/virtual-wan/point-to-site-entra-register-custom-app.md

@@ -5,31 +5,23 @@ description: Learn how to create or modify a custom audience App ID or upgrade a
 author: cherylmc
 ms.service: azure-virtual-wan
 ms.topic: concept-article
-ms.date: 01/14/2025
+ms.date: 02/25/2025
 ms.author: cherylmc
 ---
 
 # Create or modify a custom audience app ID for User VPN Microsoft Entra ID authentication
 
 The steps in this article help you create a Microsoft Entra ID custom App ID (custom audience) for the new Microsoft-registered Azure VPN Client for User VPN point-to-site (P2S) connections. You can also update your existing tenant to [change the new Microsoft-registered Azure VPN Client app](#change) from the previous Azure VPN Client app.
 
-When you configure a custom audience app ID, you can use any of the supported values associated with the Azure VPN Client app. We recommend that you associate the Microsoft-registered App ID Azure Public audience value `c632b3df-fb67-4d84-bdcf-b95ad541b5c8` to your custom app when possible. For the full list of supported values, see the [Azure VPN Client Audience values table](point-to-site-entra-gateway.md).
-
 This article provides high-level steps. The screenshots to register an application might be slightly different, depending on the way you access the user interface, but the settings are the same. For more information, see [Quickstart: Register an application](/entra/identity-platform/quickstart-register-app).
 
 ## Prerequisites
 
 * This article assumes that you already have a Microsoft Entra tenant and the permissions to create an Enterprise Application, typically the [Cloud Application Administrator role](/entra/identity/role-based-access-control/permissions-reference#cloud-application-administrator) or higher. For more information, see [Create a new tenant in Microsoft Entra ID](/entra/fundamentals/create-new-tenant) and [Assign user roles with Microsoft Entra ID](/entra/fundamentals/users-assign-role-azure-portal).
 
-* This article assumes that you're using the **Microsoft-registered App ID Azure Public** audience value `c632b3df-fb67-4d84-bdcf-b95ad541b5c8` to configure your custom app. This value has global consent, which means you don't need to manually register it to provide consent for your organization. We recommend that you use this value.
-
-  * At this time, there's only one supported audience value for the Microsoft-registered app. See the [supported audience value table](../vpn-gateway/point-to-site-about.md#entra-id) for additional supported values.
-
-  * If the Microsoft-registered audience value isn't compatible with your configuration, you can still use the older manually registered ID values.
-
-* If you need to use a manually registered app ID value instead, you must give consent to allow the app to sign in and read user profiles before proceeding with this configuration. You must sign in with an account that's assigned the [Cloud Application Administrator role](/entra/identity/role-based-access-control/permissions-reference#cloud-application-administrator).
+* We recommend that you use the audience value `c632b3df-fb67-4d84-bdcf-b95ad541b5c8` to configure your custom app. This value has global consent, which means you don't need to manually register it to provide consent for your organization.
 
-  1. To grant admin consent for your organization, modify the following command to contain the desired `client_id` value. In the example, the client_id value is for Azure Public. See the [table](../vpn-gateway/point-to-site-about.md#entra-id) for additional supported values.
+  1. To grant admin consent for your organization, modify the following command to contain the desired `client_id` value. See the [table](../vpn-gateway/point-to-site-about.md#entra-id) for additional supported values.
 
      ```https://login.microsoftonline.com/common/oauth2/authorize?client_id=41b23e61-6c1e-4545-b367-cd054e0ed4b4&response_type=code&redirect_uri=https://portal.azure.com&nonce=1234&prompt=admin_consent```
 
@@ -41,15 +33,15 @@ This article provides high-level steps. The screenshots to register an applicati
 
 ## Configure the gateway
 
-After you've completed the steps in the previous sections, continue to [Configure Virtual WAN User VPN for Microsoft Entra ID authentication - Microsoft-registered app](point-to-site-entra-gateway.md).
+After you've completed the steps in the previous sections, continue to [Configure Virtual WAN User VPN for Microsoft Entra ID authentication](point-to-site-entra-gateway.md).
 
 ## <a name="change"></a>Update to Microsoft-registered VPN app Client ID
 
 > [!NOTE]
-> These steps can be used for any of the supported values associated with the Azure VPN Client app. We recommend that you associate the Microsoft-registered App ID Azure Public audience value `c632b3df-fb67-4d84-bdcf-b95ad541b5c8` to your custom app when possible.
+> While these steps can be used for any of the supported values associated with the Azure VPN Client app, we recommend that you associate the Microsoft-registered App ID value `c632b3df-fb67-4d84-bdcf-b95ad541b5c8` to your custom app.
 
 [!INCLUDE [Change custom audience](../../includes/vpn-gateway-custom-audience-change.md)]
 
 ## Next steps
 
-[Configure Virtual WAN P2S User VPN for Microsoft Entra ID authentication - Microsoft-registered app](point-to-site-entra-gateway.md).
+[Configure Virtual WAN P2S User VPN for Microsoft Entra ID authentication](point-to-site-entra-gateway.md).

articles/virtual-wan/virtual-wan-point-to-site-azure-ad.md

@@ -1,27 +1,23 @@
 ---
-title: 'Create a P2S User VPN connection - Microsoft Entra ID authentication'
+title: 'Configure a P2S User VPN - Microsoft Entra ID authentication - manually registered Azure VPN Client App ID'
 titleSuffix: Azure Virtual WAN
-description: Learn how to configure Microsoft Entra ID authentication for Virtual WAN User VPN (point-to-site).
+description: Learn how to configure Microsoft Entra ID authentication for Virtual WAN User VPN (point-to-site) using a manually registered Azure VPN Client App ID.
 services: virtual-wan
 author: cherylmc
 ms.service: azure-virtual-wan
 ms.topic: how-to
-ms.date: 02/12/2025
+ms.date: 02/25/2025
 ms.author: cherylmc 
 
 #Audience ID values are not sensitive data.
 
 ---
-# Create a P2S User VPN connection using Azure Virtual WAN - Microsoft Entra ID authentication
+# Configure P2S User VPN gateway for Microsoft Entra ID authentication – manually registered app
 
-This article shows you how to use Virtual WAN to connect to your resources in Azure. In this article, you create a point-to-site User VPN connection to Virtual WAN that uses Microsoft Entra IDauthentication. Microsoft Entra ID authentication is only available for gateways that use the OpenVPN protocol.
+This article shows you how to use Virtual WAN to connect to your resources in Azure. In this article, you create a point-to-site User VPN connection to Virtual WAN that uses Microsoft Entra ID authentication. Microsoft Entra ID authentication is only available for gateways that use the OpenVPN protocol. While the steps and Audience values in this article do result in a working configuration, we recommend that you use the [Configure P2S VPN Gateway for Microsoft Entra ID authentication](point-to-site-entra-gateway.md) article instead.
 
 > [!IMPORTANT]
-> We recommend that you use the new [Microsoft-registered Azure VPN Client App ID](point-to-site-entra-gateway.md) article instead. The steps in this article pertain the original way of configuring your P2S gateway for Microsoft Entra ID authentication. The new article provides a more streamlined experience and is the recommended way to configure your P2S gateway. Additionally, more VPN clients are supported using the new method.
-
-[!INCLUDE [About Microsoft-registered app](../../includes/virtual-wan-entra-app-id-descriptions.md)]
-
-[!INCLUDE [OpenVPN note](../../includes/vpn-gateway-openvpn-auth-include.md)]
+> We recommend using the new [Configure P2S VPN Gateway for Microsoft Entra ID authentication](point-to-site-entra-gateway.md) article. The new article offers a more efficient setup process using the new **Microsoft-registered Azure VPN Client App ID** Audience value. Additionally, the new Audience value now supports the Azure VPN Client for Linux. If your P2S User VPN gateway is already set up with the manually configured Azure VPN Client Audience values, you can [migrate](point-to-site-entra-gateway-update.md) to the new Microsoft-registered App ID.
 
 In this article, you learn how to:
 

articles/vpn-gateway/TOC.yml

@@ -197,7 +197,7 @@
       items:
       - name: P2S gateway configuration
         items:
-        - name: Configure P2S - Microsoft-registered VPN client
+        - name: Configure P2S - Microsoft Entra ID authentication
           href: point-to-site-entra-gateway.md
         - name: Configure P2S - manually registered VPN client
           href: openvpn-azure-ad-tenant.md

articles/vpn-gateway/openvpn-azure-ad-tenant.md

@@ -1,25 +1,23 @@
 ---
-title: 'Configure P2S VPN gateway for Microsoft Entra ID authentication - manually registered App'
+title: 'Configure a P2S VPN - Microsoft Entra ID authentication - manually registered Azure VPN Client App ID'
 titleSuffix: Azure VPN Gateway
 description: Learn how to set up a Microsoft Entra tenant and P2S gateway for P2S Microsoft Entra authentication - OpenVPN protocol.
 author: cherylmc
 ms.service: azure-vpn-gateway
 ms.topic: how-to
-ms.date: 10/08/2024
+ms.date: 02/25/2025
 ms.author: cherylmc
 
 #Note that Audience values are not sensitive data. 
 
 ---
 
-# Configure P2S VPN Gateway for Microsoft Entra ID authentication – manually registered app
+# Configure P2S VPN gateway for Microsoft Entra ID authentication – manually registered app
 
-This article helps you configure a point-to-site (P2S) VPN gateway for Microsoft Entra ID authentication and manually register the Azure VPN client. This type of configuration is supported only for OpenVPN protocol connections.
+This article helps you configure a point-to-site (P2S) VPN gateway for Microsoft Entra ID authentication and manually register the Azure VPN client. This type of configuration is supported only for OpenVPN protocol connections. While the steps and Audience values in this article do result in a working configuration, we recommend that you use the [Configure P2S VPN Gateway for Microsoft Entra ID authentication](point-to-site-entra-gateway.md) article instead.
 
-You can also create this type of P2S VPN Gateway configuration using the steps for the new [Microsoft-registered VPN Client app](point-to-site-entra-gateway.md). Using the newer version bypasses the steps to register the Azure VPN Client with your Microsoft Entra tenant. It also supports more client operating systems. However, not all audience values are supported. For more information about point-to-site protocols and authentication, see [About VPN Gateway point-to-site VPN](point-to-site-about.md). For information about creating and modifying custom audiences, see [Create or modify a custom audience](point-to-site-entra-register-custom-app.md).
-
-> [!NOTE]
-> When possible, we recommend that you use the new [Microsoft-registered VPN Client app](point-to-site-entra-gateway.md) instructions instead.
+> [!IMPORTANT]
+> We recommend using the new [Configure P2S VPN Gateway for Microsoft Entra ID authentication](point-to-site-entra-gateway.md) article. The new article offers a more efficient setup process using the new **Microsoft-registered Azure VPN Client App ID** Audience value. Additionally, the new Audience value now supports the Azure VPN Client for Linux. If your P2S User VPN gateway is already set up with the manually configured Azure VPN Client Audience values, you can [migrate](point-to-site-entra-gateway-update.md) to the new Microsoft-registered App ID.
 
 ## Prerequisites
 

articles/vpn-gateway/point-to-site-entra-gateway.md

@@ -6,17 +6,14 @@ author: cherylmc
 ms.service: azure-vpn-gateway
 ms.custom: linux-related-content
 ms.topic: how-to
-ms.date: 02/10/2025
+ms.date: 02/13/2025
 ms.author: cherylmc
 # Customer intent: As an VPN Gateway administrator, I want to configure point-to-site to allow Microsoft Entra ID authentication using the Microsoft-registered Azure VPN Client APP ID.
 ---
 
-# Configure P2S VPN Gateway for Microsoft Entra ID authentication – Microsoft-registered app
+# Configure P2S VPN Gateway for Microsoft Entra ID authentication
 
-This article helps you configure your point-to-site (P2S) VPN gateway for Microsoft Entra ID authentication using the new Microsoft-registered Azure VPN Client App ID.
-
-> [!NOTE]
-> The steps in this article apply to Microsoft Entra ID authentication using the new Microsoft-registered Azure VPN Client App ID and associated Audience values. This article doesn't apply to the older, manually registered Azure VPN Client app for your tenant. For the manually registered Azure VPN Client steps, see [Configure P2S using manually registered VPN client](openvpn-azure-ad-tenant.md).
+This article helps you configure your point-to-site (P2S) VPN gateway for Microsoft Entra ID authentication using the new **Microsoft-registered Azure VPN Client App ID**.
 
 [!INCLUDE [About Microsoft-registered app](../../includes/vpn-gateway-entra-app-id-descriptions.md)]
 

includes/virtual-wan-entra-app-id-descriptions.md

@@ -2,15 +2,16 @@
 author: cherylmc
 ms.author: cherylmc
 ms.date: 02/10/2025
-ms.service: azure-vpn-gateway
+ms.service: azure-virtual-wan
 ms.custom: linux-related-content
 ms.topic: include
 ---
-Virtual WAN now supports a new Microsoft-registered App ID and corresponding Audience values for the latest versions of the Azure VPN Client. When you configure a P2S User VPN VPN gateway using the new Audience values, you skip the Azure VPN Client app manual registration process for your Microsoft Entra tenant. The App ID is already created and your tenant is automatically able to use it with no extra registration steps. This process is more secure than manually registering the Azure VPN Client because you don't need to authorize the app or assign permissions via the Global administrator role.
 
-Previously, you were required to manually register (integrate) the Azure VPN Client app with your Microsoft Entra tenant. Registering the client app creates an App ID representing the identity of the Azure VPN Client application and requires authorization using the Global Administrator role. To better understand the difference between the types of application objects, see [How and why applications are added to Microsoft Entra ID](/entra/identity-platform/how-applications-are-added).
+Virtual WAN now supports a Microsoft-registered App ID and corresponding Audience values for the latest versions of the Azure VPN Client. When you configure a P2S VPN gateway using the new Audience values, you skip the previously required Azure VPN Client app manual registration process for your Microsoft Entra tenant. The App ID is already created and your tenant is automatically able to use it with no extra registration steps. This process is more secure than manually registering the Azure VPN Client because you don't need to authorize the app or assign permissions via the Cloud App Administrator role. To better understand the difference between the types of application objects, see [How and why applications are added to Microsoft Entra ID](/entra/identity-platform/how-applications-are-added).
 
-When possible, we recommend that you configure new P2S User VPN gateways using the Microsoft-registered Azure VPN client App ID and its corresponding Audience values instead of manually registering the Azure VPN Client app with your tenant. If you have a previously configured a P2S User VPN gateway that uses Microsoft Entra ID authentication, you can update the gateway and clients to take advantage of the new Microsoft-registered App ID. Updating the P2S gateway with the new Audience value is required if you want Linux clients to connect. The Azure VPN Client for Linux isn't backward compatible with the older Audience values.
+* If your P2S User VPN gateway is configured using the Audience values for the manually configured Azure VPN Client app, you can easily [change](../articles/virtual-wan/point-to-site-entra-gateway-update.md) the gateway and client settings to take advantage of the new Microsoft-registered App ID. If you want Linux clients to connect, you must update the P2S gateway with the new Audience value. The Azure VPN Client for Linux isn't backward compatible with the older Audience values.
+
+* For this configuration, you can instead, use a custom Audience value. For more information, see [Create a custom audience app ID for P2S VPN](../articles/virtual-wan/point-to-site-entra-register-custom-app.md).
 
 **Considerations**