We have multiple P2S virtual network gateways confgured. The VPN uses OpenVPN and Azure AD authentication. Each gateway has its own virtual network for customer/project private resources.
We have a conditional access policy configured to give only specific users access to the Azure VPN enterprise application via an Azure AD security group. This however means that the users in the group will have access to all resources as long as they have the customer/project VPN XML file (for the Azure VPN Client).
Is there a way to have more fine-grained control over this? So for example create a security group and assign it to a specific P2S VPN? We know this can be done with a NSG and restrict IPs but these are dynamic so we can't really use this.
I too had the same requirements.
The primary Azure Enterprise App:
Azure VPN
Application ID
41b23e61-6c1e-4545-b367-cd054e0ed4b4
permits all staff need the app for the Azure client VPN.
Then, I have more than 1 VPN gateway where I want to limit the user access, ie only IT can connect to a particular tunnel, limited by the AAD creds
I found this guide and I'm testing the implementation
So far works as expected New App ID gets created. I put a 2 sec groups on there
Need to validate that blocks auth to disallowed users