3.2.1. P2S Authentication Methods

P2S supports three authentication mechanisms. Choose based on your identity infrastructure:

Azure Certificate Authentication:

• Generate root and client certificates
• Upload root certificate public key to VPN Gateway
• Install client certificates on each device
• Best for: Small deployments, lab environments
• Drawback: Certificate distribution at scale is painful

RADIUS Authentication:

• Integrates with existing RADIUS servers (NPS, etc.)
• Supports MFA through RADIUS challenges
• Best for: Organizations with existing RADIUS infrastructure
• Requires: Network connectivity from VPN Gateway to RADIUS server

Microsoft Entra ID (Azure AD) Authentication:

• Native Azure AD integration
• Conditional Access policies apply
• MFA through Azure AD
• Best for: Organizations using Azure AD as primary identity
• Requires: OpenVPN tunnel type

⚠️ Exam Trap: Azure AD authentication only works with OpenVPN protocol. If the scenario requires IKEv2 or SSTP, Azure AD isn't an option—use certificates or RADIUS.