Microsoft certification badges banner
Headshot of Michael Korting

Blog

Microsoft 365 • Security • Compliance

2026‑05‑20 • Intune, Azure VPN Gateway, Entra ID

Deploy Azure VPN Gateway Profiles with Intune (Entra ID Authentication)

A practical, repeatable approach to deploying the Azure VPN Client and delivering VPN configuration at scale using Microsoft Intune.

Overview

Azure VPN Gateway with Entra ID authentication provides a modern, secure way to enable remote access—but manual client configuration does not scale. By using Intune, you can deploy both the Azure VPN Client and a fully configured VPN profile automatically, ensuring consistent configuration across devices.

Prerequisites

  • Devices are enrolled in Microsoft Intune
  • Windows 10 19H2 or later (or Windows 11)
  • Azure-generated azurevpnconfig.xml file

Step 1 — Deploy the Azure VPN Client

Deploy the Azure VPN Client from the Microsoft Store:

  • Intune Admin Center → Apps → Windows
  • Add → Microsoft Store app (new)
  • Search: Azure VPN Client
  • Assign as Required to your user or device group

Step 2 — Create the VPN Profile XML

Use a base XML template and populate it with values from your Azure VPN configuration. 

<VPNProfile>
  <RememberCredentials>true</RememberCredentials>
  <AlwaysOn>true</AlwaysOn>
  <TrustedNetworkDetection>contoso.com</TrustedNetworkDetection>
  <PluginProfile>
    <ServerUrlList>azuregateway-<GUID>.vpn.azure.com;CompanyVPN</ServerUrlList>
    <CustomConfiguration>
    </CustomConfiguration>
    <PluginPackageFamilyName>Microsoft.AzureVpn_8wekyb3d8bbwe</PluginPackageFamilyName>
  </PluginProfile>
  <RegisterDNS>false</RegisterDNS>
</VPNProfile>

Step 3 — Populate the Server FQDN

In azurevpnconfig.xml, locate the <fqdn> value and insert it into the <ServerUrlList> field in your template.

Step 4 — Set the Friendly Name

Update the name after the semicolon in ServerUrlList to something meaningful such as CompanyVPN.

Step 5 — Configure Trusted Network Detection

Add your internal domain(s) to prevent VPN connections when devices are already on the corporate network.

Step 6 — Insert the Custom Configuration

Copy the full contents of azurevpnconfig.xml and paste it into the <CustomConfiguration> section. This step is critical for authentication and connection settings.

Step 7 — Capture the Connection Name

Locate the <name> value in the Azure configuration file. This will be used in the Intune OMA-URI.

Step 8 — Save the XML File

Save your completed file as VPNProfile.xml.

Step 9 — Deploy via Intune Configuration Profile

  • Devices → Windows → Configuration Profiles
  • Create → Windows 10 and later → Templates → Custom
OMA-URI: ./User/Vendor/MSFT/VPNv2/<ConnectionName>/ProfileXML
Data type: String
Value: Upload VPNProfile.xml

Replace <ConnectionName> with the value from the XML <name> field.

Step 10 — Monitor Deployment

Verify both:

  • Azure VPN Client installation
  • VPN profile deployment status

After sync, users should see the VPN profile automatically and be able to connect without manual setup.

Field Notes

  • Ensure the client installs before the profile deploys
  • Connection name must match exactly
  • Do not alter or truncate the custom configuration XML
  • Trusted Network Detection improves user experience significantly

References

← Back to Blog