Configure Device SSO for Windows - Azure VPN Client - Microsoft Entra ID authentication

This article helps you configure Device Single Sign On (SSO). Device SSO allows users to log into their devices once and use that authentication while using the Azure VPN Client on a Windows computer to connect to a virtual network using a VPN Gateway point-to-site (P2S) VPN and Microsoft Entra ID authentication. For more information about point-to-site connections, see About point-to-site connections.

Prerequisites

Configure your VPN gateway for point-to-site VPN connections that specify Microsoft Entra ID authentication. See Configure a P2S VPN gateway for Microsoft Entra ID authentication.

Make sure you also followed the necessary steps to configure the Azure VPN Client profile configuration .xml file with the custom audience and Microsoft application ID, as mentioned in Configure Azure VPN Client - Microsoft Entra ID authentication - Windows.

Workflow

1. Once you downloaded your VPN Profile configuration package, open the .xml file with a text editor.

2. Locate the aad section and set the value for enabledevicesso to be "true" for the aforementioned Windows Azure VPN Client profile:

   <aad>
      <audience>{customAudienceID}</audience>
      <issuer>https://sts.chinacloudapi.cn/{tenant ID value}/</issuer>
      <tenant>https://login.chinacloudapi.cn/{tenant ID value}/</tenant>
      <applicationid>c632b3df-fb67-4d84-bdcf-b95ad541b5c8</applicationid> 
      <enabledevicesso>true</enabledevicesso>
   </aad>
   

Next steps

• Continue back in Configure Azure VPN Client - Microsoft Entra ID authentication - Windows to import your profile settings and connect to Azure.
• Learn more About point-to-site connections.