skip to Main Content

If you are using the Azure VPN Client on windows with the Microsoft Entra ID authentication and getting connection disconnected with following error:

Your authentication with Microsoft Entra is expired. You need to re-authenticate in Entra to acquire a new token. Authentication timeout can be tuned by your administrator.

Error screenshot on Azure VPN Client

This has started happening only from 3.4.0.0 version of Azure VPN Client, As there is a new fix related to Authentication has implemented in the 3.4.0.0.
Azure VPN Client 3.4.0.0 version release notes

And here is the Mitigation for the same. https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-troubleshoot-vpn-point-to-site-connection-problems#entra-expired

You can try the mitigation , here is the Mitigation for the same.(https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-troubleshoot-vpn-point-to-site-connection-problems#entra-expired) and it should work.

2

Answers


  1. Due to the case I opened with MS on this issue Microsoft has updated the FAQs here: https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-vpn-faq#vpn-disconnect

    What is happening is in versions 3.3.1 and before the Azure VPN client did NOT honor the Sign-in Frequency except at initial login. Once you were connected even with a conditional access policies sign-in frequency set you could stay connected indefinitely but now in version 3.4.0 the client will honor the sign-in frequency in the conditional access policy after initial sign-in.

    Microsoft did a poor job of communicating this and actually once my clients started receiving the 3.4.0 version from the Microsoft store none of the Microsoft documentation even mentioned a 3.4.0 client.

    So for example if you were using Azure Point to Site VPN client 3.3.1 with Entra ID Authentication and a Conditional access policy with Sign-in frequency set to Everytime you could stay connected indefinitely once you authenticated. If then your clients updated to 3.4.0 the conditional access policy would disconnect users after 1 hour.

    Note that whatever sign-in frequency you choose in the conditional access policy for the Azure VPN (with client version 3.4.0) it will be 1 additional hour before users are disconnected. Example if you want users to stay connected for 8 hours use a sign-in frequency of 7 hours.

    Login or Signup to reply.
  2. What is our solution here?

    I’m not entirely clear on the next steps if you have one …

    Really appreciate the indepth explanation

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search