Skip to main content

🛡️ Azure Virtual Network Gateway point-to-site configuration authentication type is not set to Azure Active Directory🟢⚪

  • Contextual name: 🛡️ Virtual Network Gateway point-to-site configuration authentication type is not set to Azure Active Directory🟢⚪
  • ID: /ce/ca/azure/virtual-network/virtual-network-gateway-authentication-type
  • Tags:
  • Policy Type: COMPLIANCE_POLICY
  • Policy Categories: SECURITY

Description

Open File

Description

Enable only 'Azure Active Directory' (Microsoft Entra ID) authentication for Azure VPN Gateway point-to-site connections.

Rationale

Microsoft Entra ID authentication provides strong security and centralized identity management, and reduces risks associated with static credentials and certificate management.

Impact

Azure VPN Gateways incur hourly charges, with additional costs for point-to-site connections and data transfer. Pricing varies by SKU and usage. Refer to https://azure.microsoft.com/en-us/pricing/details/vpn-gateway/ for details.

Audit

From Azure Portal
  1. Go to Virtual network gateways.
  2. Under VPN gateway, click VPN gateways.
  3. Click the name of a VPN gateway.
  4. Under Settings, click Point-to-site configuration.
  5. Ensure Authentication type is set to Azure Active Directory only.
  6. Repeat steps 1-5 for each VPN gateway.
From Azure Policy

If referencing a digital copy of this Benchmark, clicking a Policy ID will open a link to the associated Policy definition in Azure.

... see more

Remediation

Open File

Remediation

From Azure Portal

  1. Go to Virtual network gateways.
  2. Under VPN gateway, click VPN gateways.
  3. Click the name of a VPN gateway.
  4. Under Settings, click Point-to-site configuration.
  5. Ensure Authentication type click to expand the drop-down menu.
  6. Check the box next to Azure Active Directory, and uncheck the boxes next to Azure certificate and RADIUS authentication.
  7. Provide a Tenant, Audience, and Issuer for the Azure Active Directory configuration.
  8. Click Save.
  9. Repeat steps 1-8 for each VPN gateway requiring remediation.

policy.yaml

Open File

Linked Framework Sections

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
💼 CIS Azure v5.0.0 → 💼 7.9 Ensure 'Authentication type' is set to 'Azure Active Directory' only for Azure VPN Gateway point-to-site configuration (Manual)1no data
💼 Cloudaware Framework → 💼 Secure Access67no data