Technical Lab: Select an appropriate authentication method
Questionsβ
Question 1 β Multiple Choiceβ
An organization needs to authenticate corporate users accessing a VPN Gateway configured with point-to-site (P2S) authentication. The requirement is that authentication uses identities already managed in Microsoft Entra ID, without the need for own PKI infrastructure and without depending on user-managed certificates.
Which authentication method meets these requirements?
A) Certificate authentication with root CA loaded on the gateway
B) Microsoft Entra ID authentication with OpenVPN client
C) RADIUS authentication integrated with on-premises Active Directory
D) Pre-shared key (PSK) authentication
Question 2 β Technical Scenarioβ
An engineer configures a P2S VPN connection on an Azure VPN Gateway with the IKEv2 protocol. The goal is to allow macOS and Windows devices to connect using digital certificates. During testing, Windows clients connect successfully, but macOS clients fail authentication.
Protocol: IKEv2
Authentication: Certificate (root CA loaded on gateway)
Windows Client: Successful connection
macOS Client: Authentication failure
What is the most likely cause of the failure on macOS clients?
A) macOS does not support IKEv2 as a VPN tunnel protocol
B) The macOS client certificate needs to be issued by a different CA than the one used on Windows
C) The VPN client configuration package was not generated or reinstalled after the root certificate upload
D) The gateway needs a second root certificate exclusive for non-Windows clients
Question 3 β True or Falseβ
Microsoft Entra ID authentication in P2S VPN connections is supported by both the OpenVPN protocol and the IKEv2 protocol, as long as the gateway is on SKU VpnGw1 or higher.
True or False?
Question 4 β Technical Scenarioβ
A company uses a hybrid environment with Microsoft Entra Connect synchronizing identities from on-premises Active Directory to Microsoft Entra ID. The network team needs to implement RADIUS authentication for a P2S VPN Gateway solution, so that validated credentials are from the on-premises Active Directory, without exposing the NPS server directly to the internet.
The diagram below represents the proposed architecture:
[VPN Client] --> [VPN Gateway (P2S)] --> [NPS Server on local network]
|
[Active Directory]
Which component or configuration is mandatory for the VPN Gateway to reach the NPS server on the local network?
A) A Site-to-Site (S2S) or ExpressRoute connection between the VPN Gateway and the local network
B) Enabling multifactor authentication (MFA) on the NPS server
C) A second VPN Gateway dedicated exclusively to RADIUS traffic
D) Installing Microsoft Entra Connect on the NPS server
Question 5 β Multiple Choiceβ
When comparing the authentication methods available for P2S VPN on Azure VPN Gateway, which statement correctly describes a functional difference between certificate authentication and Microsoft Entra ID authentication?
A) Certificate authentication requires SKU VpnGw2 or higher, while Entra ID authentication works on any SKU
B) Microsoft Entra ID authentication allows applying Conditional Access policies, while certificate authentication does not offer this native integration
C) Certificate authentication supports only the OpenVPN protocol, while Entra ID supports IKEv2 and SSTP
D) Microsoft Entra ID authentication is supported on Basic SKU gateways, while certificates require higher SKUs
Answer Key and Explanationsβ
Answer Key β Question 1β
Answer: B
Microsoft Entra ID authentication with OpenVPN client is the only method that uses identities managed in Entra ID without requiring own PKI or certificate distribution to users. The OpenVPN protocol is mandatory for this method, and the authentication flow uses OAuth 2.0 with tokens issued by Entra ID.
Alternative A requires PKI infrastructure, contradicting the requirement. Alternative C depends on RADIUS and an NPS server integrated with on-premises AD, not directly with Entra ID. Alternative D (PSK) is applicable only to S2S/VNet-to-VNet connections, not to P2S with individual users.
Answer Key β Question 2β
Answer: C
When a new root certificate is loaded on the VPN Gateway, the VPN client configuration package must be regenerated and redistributed. The old package does not contain the updated gateway information. Clients that already had the previous package installed (like the Windows ones in the scenario) may continue working if their client certificate is still valid, but clients installing the outdated package fail.
Alternative A is incorrect: macOS supports IKEv2 natively. Alternative B has no technical foundation, as the root CA is the same for all clients. Alternative D is also incorrect: a single root certificate per CA is sufficient for all operating systems.
Answer Key β Question 3β
Answer: False
Microsoft Entra ID authentication in P2S is supported exclusively by the OpenVPN protocol. IKEv2 is not compatible with this authentication method on Azure VPN Gateway. Therefore, even if the gateway is on an adequate SKU, it is not possible to use Entra ID with IKEv2. The confusion happens because both OpenVPN and IKEv2 are protocols supported by the gateway, but the compatible authentication methods differ between them.
Answer Key β Question 4β
Answer: A
The VPN Gateway is a resource of the Azure virtual network and, by default, has no connectivity with on-premises networks. For the gateway to forward RADIUS requests to the NPS server on the local network, there must be a Site-to-Site (S2S) or ExpressRoute connection established between the Azure VNet and the local network. Without this network path, RADIUS packets simply do not reach the NPS server.
Alternative B (MFA on NPS) is a security best practice, but not a requirement for routing to work. Alternative C does not exist as a solution in Azure. Alternative D confuses the role of Microsoft Entra Connect, which is responsible for identity synchronization, not network connectivity.
Answer Key β Question 5β
Answer: B
The most relevant functional difference is that Microsoft Entra ID authentication allows integrating the authentication flow with Microsoft Entra Conditional Access, enabling the application of policies such as MFA requirement, device compliance, and blocking by geographic location. Certificates prove device or user identity, but do not integrate natively with Entra ID's Conditional Access mechanism.
Alternative A reverses SKU requirements without factual basis. Alternative C reverses the protocols: it is Entra ID authentication that requires OpenVPN, not the other way around. Alternative D is incorrect: the Basic SKU does not support Entra ID authentication, and there are also SKU restrictions for certificates.