Windows 10 AlwaysOn VPN with Conditional Access – Part 3


This is the last part of the blogpost series about Windows 10 AlwaysOn VPN with AzureAD Conditional Access. In the first part I described what infrastructure is needed to get up and running with the Windows 10 AlwaysOn VPN. The second part was about the configuration which was needed to add AzureAD Conditional Access to the configuration. In the second post I also showed how MFA can be enforced on AlwaysOn VPN connections with AzureAD Conditional Access. In this last part I want to show you that AzureAD can also enforce a compliant device and I want to describe the scenario of blocking access to the AlwaysOn VPN.

Let’s start where we finished in the last post of the series. We configured an Conditional Access policy which enforces an MFA request to the user before the VPN could connected. Now we’re going to change the Conditional Access policy so that an compliant device is required.

  1. First go to the Azure Portal, next go to the Azure Active Directory section and open the VPN Conditional Access policy;
  2. Go the Access Controls and add ‘Require device to be marked as compliant’ as control and select ‘Require all the selected controls’ if multiple controls are selected
  3. Next save the policy.

The above change will enforce a compliant device. The users will see the following screens:

We’re starting with an non compliant device:


When connecting to the VPN the following screen is presented:


Before the connection can be made Conditional Access enforces a compliant device. When we make the device compliant the AlwaysOn VPN connection can be created:


After this scenario I want to show one other scenario. In this scenario I want to block access to the AlwaysOn VPN if the user is member of the ‘Block AlwaysOn VPN group’. To configure this scenario we need to do the following:

  1. Create a Azure Active Directory Group with the users you want to block access;
  2. Create a new AzureAD Compliant policy with the same configuration as the already created policy. Only change the controls to block access instead of allowing:
  3. Save the policy

Now when we go back to the test workstation and the user should be blocked when the Conditional Access certificate expires. This certificate issued by AzureAD is valid for 1 hour after it’s issued. This certificate is used to authenticate. After one hour the user will see the following message:


This scenarios shows that with AzureAD Conditional Access we can require controls to allow access to the VPN but we can also block access to the VPN. To finish this series I want to make one final note which I found out during testing this solution:

Deleting the certificate issued by AzureAD Conditional Access can lead to strange behavior in Allowing and Blocking scenarios. During my tests after deleting the certificate manually Conditional Access was working but after closing the CA window the connection could still be made. So conclusion here is to not delete the certificate manually from the client.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.