Merge pull request #286129 from cherylmc/ts-p2s

Entra ID

Author: JamesJBarnett

articles/vpn-gateway/TOC.yml

@@ -321,17 +321,17 @@
       href: troubleshoot-vpn-with-azure-diagnostics.md
     - name: Troubleshoot point-to-site connection issues
       items:
-      - name: P2S connection problems - general
+      - name: Point-to-site connection problems
         href: vpn-gateway-troubleshoot-vpn-point-to-site-connection-problems.md
-      - name: macOS - native VPN client
+      - name: macOS - native VPN client connection problems
         href: vpn-gateway-troubleshoot-point-to-site-osx-ikev2.md
-      - name: Microsoft Entra ID authentication
+      - name: Troubleshoot the Azure VPN Client - Microsoft Entra ID
         href: troubleshoot-ad-vpn-client.md
-      - name: Report an Azure VPN Client problem - Feedback Hub
+      - name: Report Azure VPN Client problems - Feedback Hub
         href: feedback-hub-azure-vpn-client.md
     - name: Troubleshoot site-to-site connection issues
       items:
-      - name: Site-to-site connections
+      - name: Site-to-site connection problems
         href: vpn-gateway-troubleshoot-site-to-site-cannot-connect.md
       - name: Site-to-site connection disconnects intermittently
         href: vpn-gateway-troubleshoot-site-to-site-disconnected-intermittently.md

articles/vpn-gateway/vpn-gateway-troubleshoot-vpn-point-to-site-connection-problems.md

@@ -5,7 +5,7 @@ description: Learn to troubleshoot and solve common point-to-site connection pro
 author: chadmath
 ms.service: azure-vpn-gateway
 ms.topic: troubleshooting
-ms.date: 09/03/2024
+ms.date: 09/04/2024
 ms.author: genli
 ---
 # Troubleshooting: Azure point-to-site connection problems
@@ -282,7 +282,7 @@ This error message occurs if the client can't access http://crl3.digicert.com/ss
 
 Check the proxy server settings, make sure that the client can access http://crl3.digicert.com/ssca-sha2-g1.crl and http://crl4.digicert.com/ssca-sha2-g1.crl.
 
-## VPN Client Error: The connection was prevented because of a policy configured on your RAS/VPN server. (Error 812)
+## VPN client error: The connection was prevented because of a policy configured on your RAS/VPN server. (Error 812)
 
 ### Cause
 
@@ -298,7 +298,7 @@ Make sure that RADIUS server is configured correctly. For More information, see
 
 Root certificate hasn't been installed. The root certificate is installed in the client's **Trusted certificates** store.
 
-## VPN Client Error: The remote connection was not made because the attempted VPN tunnels failed. (Error 800) 
+## VPN client error: The remote connection was not made because the attempted VPN tunnels failed. (Error 800) 
 
 ### Cause
 
@@ -314,7 +314,38 @@ Update the NIC driver:
 1. If Windows doesn't find a new driver, you can try looking for one on the device manufacturer's website and follow their instructions.
 1. Restart the computer and try the connection again.
 
-## VPN Client Error: Dialing VPN connection \<VPN Connection Name\>, Status = VPN Platform did not trigger connection
+## <a name="entra-expired"></a>VPN client error: Your authentication with Microsoft Entra has expired
+
+If you're using Microsoft Entra ID authentication, you might encounter the following error:
+
+**Your authentication with Microsoft Entra has expired so you need to re-authenticate to acquire a new token. Please try connecting again. Authentication policies and timeout are configured by your administrator in Entra tenant.**
+
+### Cause
+
+The point-to-site connection is disconnected because the current refresh token has expired or becomes invalid. New access tokens can’t be fetched for authenticating the user.
+
+When an Azure VPN Client tries to establish connection with an Azure VPN gateway using Microsoft Entra ID authentication, an access token is required to authenticate the user. This token gets renewed approximately every hour. A valid access token can only be issued when the user has a valid refresh token. If the user doesn’t have a valid refresh token, the connection gets disconnected.
+
+The refresh token can show as expired/invalid due to several reasons. You can check User Entra sign-in logs for debugging. See [Microsoft Entra sign-in logs](/entra/identity/monitoring-health/concept-sign-ins).
+
+* **Refresh token has expired**
+
+  * The default lifetime for the refresh tokens is 90 days. After 90 days, users need to reconnect to get a new refresh token.
+  * Entra tenant admins can add conditional access policies for sign-in frequency that trigger periodic reauthentication every 'X' hrs. (Refresh token will expire in 'X' hrs). By using custom conditional access policies, users are forced use an interactive sign-in every 'X' hrs. For more information, see [Refresh tokens in the Microsoft identity platform](/entra/identity-platform/refresh-tokens) and [Configure adaptive session lifetime policies](/entra/identity/conditional-access/howto-conditional-access-session-lifetime).
+
+* **Refresh token is invalid**
+
+  * The user has been removed from tenant.
+  * The user's credentials have changed.
+  * Sessions have been revoked by the Entra tenant Admin.
+  * The device has become noncompliant (if it’s a managed device).
+  * Other Entra policies configured by Entra Admins that require users to periodically use interactive sign-in.
+
+### Solution
+
+In these scenarios, users need to reconnect. This triggers an interactive sign-in process in Microsoft Entra that issues a new refresh token and access token.
+
+## VPN client error: Dialing VPN connection \<VPN Connection Name\>, Status = VPN Platform did not trigger connection
 
 You might also see the following error in Event Viewer from RasClient: "The user \<User\> dialed a connection named \<VPN Connection Name\> which has failed. The error code returned on failure is 1460."