If you are using the Azure VPN Client on windows with the Microsoft Entra ID authentication and getting connection disconnected with following error:
Your authentication with Microsoft Entra is expired. You need to re-authenticate in Entra to acquire a new token. Authentication timeout can be tuned by your administrator.
Error screenshot on Azure VPN Client
This has started happening only from 3.4.0.0 version of Azure VPN Client, As there is a new fix related to Authentication has implemented in the 3.4.0.0.
Azure VPN Client 3.4.0.0 version release notes
And here is the Mitigation for the same. https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-troubleshoot-vpn-point-to-site-connection-problems#entra-expired
You can try the mitigation , here is the Mitigation for the same.(https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-troubleshoot-vpn-point-to-site-connection-problems#entra-expired) and it should work.
2
Answers
Due to the case I opened with MS on this issue Microsoft has updated the FAQs here: https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-vpn-faq#vpn-disconnect
What is happening is in versions 3.3.1 and before the Azure VPN client did NOT honor the Sign-in Frequency except at initial login. Once you were connected even with a conditional access policies sign-in frequency set you could stay connected indefinitely but now in version 3.4.0 the client will honor the sign-in frequency in the conditional access policy after initial sign-in.
Microsoft did a poor job of communicating this and actually once my clients started receiving the 3.4.0 version from the Microsoft store none of the Microsoft documentation even mentioned a 3.4.0 client.
So for example if you were using Azure Point to Site VPN client 3.3.1 with Entra ID Authentication and a Conditional access policy with Sign-in frequency set to Everytime you could stay connected indefinitely once you authenticated. If then your clients updated to 3.4.0 the conditional access policy would disconnect users after 1 hour.
Note that whatever sign-in frequency you choose in the conditional access policy for the Azure VPN (with client version 3.4.0) it will be 1 additional hour before users are disconnected. Example if you want users to stay connected for 8 hours use a sign-in frequency of 7 hours.
What is our solution here?
I’m not entirely clear on the next steps if you have one …
Really appreciate the indepth explanation