Merge pull request #293032 from cherylmc/vwan-azuread

v-shils · web-flow · commit c54c10d0e6f2 · 2025-01-14T12:43:58.000-08:00
VWAN Tenant
diff --git a/articles/virtual-wan/TOC.yml b/articles/virtual-wan/TOC.yml
@@ -208,7 +208,9 @@
           href: certificates-point-to-site.md
       - name: Microsoft Entra ID authentication
         items:
-        - name: Configure a P2S VPN
+        - name: Configure P2S - Microsoft-registered VPN client
+          href: point-to-site-entra-gateway.md
+        - name: Configure P2S - manually registered VPN client
           href: virtual-wan-point-to-site-azure-ad.md
         - name: Configure a tenant
           href: openvpn-azure-ad-tenant.md
diff --git a/articles/virtual-wan/point-to-site-entra-gateway.md b/articles/virtual-wan/point-to-site-entra-gateway.md
@@ -0,0 +1,129 @@
+---
+title: 'Configure P2S User VPN for Microsoft Entra ID authentication: Microsoft-registered client'
+titleSuffix: Azure Virtual WAN
+description: Learn how to configure Virtual WAN P2S User VPN server settings for Microsoft Entra ID authentication using Microsoft-registered Azure VPN Client.
+services: virtual-wan
+author: cherylmc
+ms.service: azure-virtual-wan
+ms.topic: how-to
+ms.date: 01/14/2025
+ms.author: cherylmc 
+
+#Audience ID values are not sensitive data.
+
+---
+# Configure P2S User VPN for Microsoft Entra ID authentication – Microsoft-registered app
+
+This article helps you configure point-to-site User VPN connection to Virtual WAN that uses Microsoft Entra ID authentication and the new Microsoft-registered Azure VPN Client App ID.
+
+> [!NOTE]
+> The steps in this article apply to Microsoft Entra ID authentication using the new Microsoft-registered Azure VPN Client App ID and associated Audience values. This article doesn't apply to the older, manually registered Azure VPN Client app for your tenant. For the manually registered Azure VPN Client steps, see [Configure P2S using manually registered VPN client](virtual-wan-point-to-site-azure-ad.md).
+
+[!INCLUDE [About Microsoft-registered app](../../includes/virtual-wan-entra-app-id-descriptions.md)]
+
+[!INCLUDE [OpenVPN note](../../includes/vpn-gateway-openvpn-auth-include.md)]
+
+In this article, you learn how to:
+
+* Create a virtual WAN
+* Create a User VPN configuration
+* Download a virtual WAN User VPN profile
+* Create a virtual hub
+* Edit a hub to add P2S gateway
+* Connect a virtual network to a virtual hub
+* Download and apply the User VPN client configuration
+* View your virtual WAN
+
+:::image type="content" source="./media/virtual-wan-about/virtualwanp2s.png" alt-text="Screenshot of Virtual WAN diagram." lightbox="./media/virtual-wan-about/virtualwanp2s.png":::
+
+## Before you begin
+
+Verify that you've met the following criteria before beginning your configuration:
+
+* You have a virtual network that you want to connect to. Verify that none of the subnets of your on-premises networks overlap with the virtual networks that you want to connect to. To create a virtual network in the Azure portal, see the [Quickstart](../virtual-network/quick-create-portal.md).
+
+* Your virtual network doesn't have any virtual network gateways. If your virtual network has a gateway (either VPN or ExpressRoute), you must remove all gateways. The steps for this configuration help you connect your virtual network to the Virtual WAN virtual hub gateway.
+
+* Obtain an IP address range for your hub region. The hub is a virtual network that is created and used by Virtual WAN. The address range that you specify for the hub can't overlap with any of your existing virtual networks that you connect to. It also can't overlap with your address ranges that you connect to on premises. If you're unfamiliar with the IP address ranges located in your on-premises network configuration, coordinate with someone who can provide those details for you.
+
+* You need a Microsoft Entra ID tenant for this configuration. If you don't have one, you can create one by following the instructions in [Create a new tenant](/entra/fundamentals/create-new-tenant).
+
+## <a name="wan"></a>Create a virtual WAN
+
+From a browser, navigate to the [Azure portal](https://portal.azure.com) and sign in with your Azure account.
+
+[!INCLUDE [Create a virtual WAN](../../includes/virtual-wan-create-vwan-include.md)]
+
+## <a name="user-config"></a>Create a User VPN configuration
+
+A User VPN configuration defines the parameters for connecting remote clients. It's important to create the User VPN configuration before configuring your virtual hub with P2S settings, as you must specify the User VPN configuration you want to use.
+
+> [!IMPORTANT]
+> [!INCLUDE [Microsoft Entra ID note for portal pages](../../includes/vpn-gateway-entra-portal-note.md)]
+
+1. Go to your Virtual WAN. In the left pane, expand **Connectivity** and select the **User VPN configurations** page. On the **User VPN configurations** page, click **+Create user VPN config**.
+1. On the **Basics** page, specify the following parameters.
+
+    * **Configuration name** - Enter the name you want to call your User VPN Configuration. For example, **TestConfig1**.
+    * **Tunnel type** - Select OpenVPN from the dropdown menu.
+1. At the top of the page, click **Azure Active Directory**. You can view the necessary values on the Microsoft Entra ID page for Enterprise applications in the portal.
+
+    :::image type="content" source="./media/virtual-wan-point-to-site-azure-ad/values.png" alt-text="Screenshot of the Microsoft Entra ID page." lightbox="./media/virtual-wan-point-to-site-azure-ad/values.png"::: Configure the following values:
+
+   * **Azure Active Directory** - Select **Yes**.
+   * **Audience** - Enter the corresponding value for the Microsoft-registered Azure VPN Client App ID, Azure Public: `c632b3df-fb67-4d84-bdcf-b95ad541b5c8`. [Custom audience](../vpn-gateway/point-to-site-entra-register-custom-app.md) is also supported for this field.
+   * **Issuer** - Enter `https://sts.windows.net/<your Directory ID>/`.
+   * **AAD Tenant** - Enter the TenantID for the Microsoft Entra tenant. Make sure there isn't an `/` at the end of the Microsoft Entra tenant URL.
+
+1. Click **Create** to create the User VPN configuration. You'll select this configuration later in the exercise.
+
+## <a name="site"></a>Create an empty hub
+
+Next, create the virtual hub. The steps in this section create an empty virtual hub to which you can later add the P2S gateway. However, it's always much more efficient to combine creating the hub along with the gateway because each time you make a configuration change to the hub, you have to wait for the hub settings to build.
+
+For demonstration purposes, we'll create an empty hub first, then add the P2S gateway in the next section. But, you can choose to incorporate the P2S gateway settings from the next section at the same time you configure the hub.
+
+[!INCLUDE [Create an empty hub](../../includes/virtual-wan-hub-basics.md)]
+
+After configuring the settings, click **Review + create** to validate, then **Create** the hub. It can take up to 30 minutes to create a hub.
+
+## <a name="hub"></a>Add a P2S gateway to a hub
+
+This section shows you how to add a gateway to an already existing virtual hub. It can take up to 30 minutes to update a hub.
+
+1. Go to your Virtual WAN. In the left pane, expand **Settings** and select **Hubs**.
+1. Click the name of the hub that you want to edit.
+1. Click **Edit virtual hub** at the top of the page to open the **Edit virtual hub** page.
+1. On the **Edit virtual hub** page, check the checkboxes for **Include vpn gateway for vpn sites** and **Include point-to-site gateway** to reveal the settings. Then configure the values.
+
+   :::image type="content" source="./media/virtual-wan-point-to-site-azure-ad/hub.png" alt-text="Screenshot shows the Edit virtual hub." lightbox="./media/virtual-wan-point-to-site-azure-ad/hub.png":::
+
+   * **Gateway scale units**: Select the Gateway scale units. Scale units represent the aggregate capacity of the User VPN gateway. If you select 40 or more gateway scale units, plan your client address pool accordingly. For information about how this setting impacts the client address pool, see [About client address pools](about-client-address-pools.md). For information about gateway scale units, see the [FAQ](virtual-wan-faq.md#p2s-concurrent).
+   * **User VPN configuration**: Select the configuration that you created earlier.
+   * **User Groups to Address Pools Mapping**: Specify address pools. For information about this setting, see [Configure user groups and IP address pools for P2S User VPNs](user-groups-create.md).
+
+1. After configuring the settings, click **Confirm** to update the hub. It can take up to 30 minutes to update a hub.
+
+## <a name="connect-vnet"></a>Connect virtual network to hub
+
+In this section, you create a connection between your virtual hub and your virtual network.
+
+[!INCLUDE [Connect virtual network](../../includes/virtual-wan-connect-vnet-hub-include.md)]
+
+## <a name="download-profile"></a>Download User VPN profile
+
+All of the necessary configuration settings for the VPN clients are contained in a VPN client configuration zip file. The settings in the zip file help you easily configure the VPN clients. The VPN client configuration files that you generate are specific to the User VPN configuration for your gateway. You can download global (WAN-level) profiles, or a profile for a specific hub. For information and additional instructions, see [Download global and hub profiles](global-hub-profile.md). The following steps walk you through downloading a global WAN-level profile.
+
+[!INCLUDE [Download profile](../../includes/virtual-wan-p2s-download-profile-include.md)]
+
+##  <a name="configure-client"></a>Configure the Azure VPN Client
+
+Next, you examine the profile configuration package, configure the Azure VPN Client for the client computers, and connect to Azure. See the articles listed in the Next steps section.
+
+## Next steps
+
+Configure the Azure VPN Client. You can use the steps in the VPN Gateway client documentation to configure the Azure VPN Client for Virtual WAN.
+
+* [Azure VPN Client for Linux](../vpn-gateway/point-to-site-entra-vpn-client-linux.md)
+* [Azure VPN Client for Windows](../vpn-gateway/point-to-site-entra-vpn-client-windows.md)
+* [Azure VPN Client for macOS](../vpn-gateway/point-to-site-entra-vpn-client-mac.md)
diff --git a/includes/virtual-wan-entra-app-id-descriptions.md b/includes/virtual-wan-entra-app-id-descriptions.md
@@ -0,0 +1,31 @@
+---
+author: cherylmc
+ms.author: cherylmc
+ms.date: 01/14/2025
+ms.service: azure-vpn-gateway
+ms.custom: linux-related-content
+ms.topic: include
+---
+Virtual WAN now supports a new Microsoft-registered App ID and corresponding Audience values for the latest versions of the Azure VPN Client. When you configure a P2S User VPN VPN gateway using the new Audience values, you skip the Azure VPN Client app manual registration process for your Microsoft Entra tenant. The App ID is already created and your tenant is automatically able to use it with no extra registration steps. This process is more secure than manually registering the Azure VPN Client because you don't need to authorize the app or assign permissions via the Global administrator role.
+
+Previously, you were required to manually register (integrate) the Azure VPN Client app with your Microsoft Entra tenant. Registering the client app creates an App ID representing the identity of the Azure VPN Client application and requires authorization using the Global Administrator role. To better understand the difference between the types of application objects, see [How and why applications are added to Microsoft Entra ID](/entra/identity-platform/how-applications-are-added).
+
+When possible, we recommend that you configure new P2S User VPN gateways using the Microsoft-registered Azure VPN client App ID and its corresponding Audience values instead of manually registering the Azure VPN Client app with your tenant. If you have a previously configured a P2S User VPN gateway that uses Microsoft Entra ID authentication, you can update the gateway and clients to take advantage of the new Microsoft-registered App ID. Updating the P2S gateway with the new Audience value is required if you want Linux clients to connect. The Azure VPN Client for Linux isn't backward compatible with the older Audience values.
+
+**Considerations and limitations**
+
+* A P2S User VPN gateway can only support one Audience value. It can't support multiple Audience values simultaneously.
+
+* At this time, the newer Microsoft-registered App ID doesn't support as many Audience values as the older, manually registered app. If you need an Audience value for anything other than Azure Public or Custom, use the older manually registered method and values.
+
+* The Azure VPN Client for Linux isn't backward compatible with P2S gateways configured to use the older Audience values that align with the manually registered app. The Azure VPN Client for Linux does support Custom Audience values.
+
+* [!INCLUDE [Supported versions](vpn-gateway-azure-vpn-client-linux-supported-releases.md)]
+
+* The Azure VPN Client for macOS and Windows is backward compatible with P2S gateways configured to use the older Audience values that align with the manually registered app. You can also use Custom Audience values with these clients.
+
+**Azure VPN Client Audience values**
+
+The following table shows the versions of the Azure VPN Client that are supported for each App ID and the corresponding available Audience values.
+
+[!INCLUDE [About the Microsoft-registered Azure VPN Client](vpn-gateway-entra-audience-values.md)]
diff --git a/includes/virtual-wan-hub-basics.md b/includes/virtual-wan-hub-basics.md
@@ -1,7 +1,7 @@
 ---
 ms.author: cherylmc
 author: cherylmc
-ms.date: 07/28/2023
+ms.date: 01/14/2025
 ms.service: azure-virtual-wan
 ms.topic: include
 ---
@@ -18,4 +18,4 @@ ms.topic: include
    * **Name**: The name by which you want the virtual hub to be known.
    * **Hub private address space**: The hub's address range in CIDR notation. The minimum address space is /24 to create a hub.
    * **Virtual hub capacity**: Select from the dropdown. For more information, see [Virtual hub settings](/azure/virtual-wan/hub-settings).
-   * **Hub routing preference**: Leave as default. For more information, see [Virtual hub routing preference](/azure/virtual-wan/about-virtual-hub-routing-preference).
+   * **Hub routing preference**: Leave the setting as the default, **ExpressRoute** unless you have a specific need to change this field. For more information, see [Virtual hub routing preference](/azure/virtual-wan/about-virtual-hub-routing-preference).
