Enable Passwordless Azure/Entra ID VPN Authentication

Leverage existing policies from Azure to secure Wi-Fi and VPN access. Our managed PKI and RADIUS service provides you with everything you need to authenticate to your VPN without the insecurity of passwords, all while being tied to Azure AD/Entra ID users and Intune devices.

Display Widget Preview

What Real Customers Have to Say About SecureW2

At SecureW2, we have a laser focus on making products and services that customers love. But don’t take our word for it, check out what some of our customers are saying:

See All SecureW2 JoinNow Reviews
5-Star Support Experience - Thorough assistance for planning, testing and implementation -Fantastic functionality - Thorough Integration Support
Josh H. Computer Software
The implementation was seemless and easy. It worked immediately, and the individuals working with us were able to tell us exactly what to do.
Reagan H. Financial Services
With SecureW2, we are finally able to stop using user name an passwords for Wi-Fi authentication and strictly use machine based certificates. This has alleviated several pain points with our users.
Verified User in Primary/Secondary Education. Verified User in Primary/Secondary Education
Very little time was spent configuring the product. SecureW2 was able to help walk my team through all necessary configurations to create our PKI environment and automate certificate deployment. Since then everything has simply just worked and is integrated perfectly with out device lifecycle.
Verified User in Information Technology and Services Verified User in Information Technology and Services
The White Glove Service made it easy to implement and connect to our services The team has been very knowledgeable, And implementation into the network was very simple.
Jason B. Information Technology and Services
Display Widget Preview

Everything You Need for Passwordless Azure / Entra ID Network Access

Certificate-based authentication requires more than just a PKI and certificates - you’ll need something to authenticate them. SecureW2’s passwordless platform includes a Cloud RADIUS service designed for certificate-based authentication. Our vendor-agnostic platform has a decade of integration with any infrastructure, such as all major MDMs like Intune, access points, firewalls, and your SIEM or syslog servers.

Here’s an overview of why SecureW2’s platform works perfectly in Azure/Entra ID environments:

  • SecureW2 offers best-in-class certificate issuance and management software to easily enable certificate-based VPN authentication
  • Multi-use certificates can be configured for VPN, Wi-Fi, Web Application Access and installed alongside network configuration profiles
  • Most VPNs do not support certificate-based RADIUS authentication. However, enabling RADIUS Authentication with Azure / Entra ID is a breeze with SecureW2’s Token-Based Authentication feature.

Use Certificate-Driven Security to Protect Your VPN

Digital certificates deliver so much more identity context to each connection and can be used to secure VPNs that support them. We believe certificates don’t need to be complicated to set up or manage. Our cloud managed PKI service makes it easy to deploy passwordless authentication anywhere on your network.

  • Strongly authenticate devices, networks, and apps while protecting your Azure, Okta & Google identities from compromise.
  • Intuitive single-pane management with granular control of certificate lifecycles.
  • Deliver both user (roles, groups) and device (ownership, type) context to every connection.
  • Simple and secure, backed by HSM (Hardware Security Module)
  • Extensible usage of PKI for authentication, signing and protecting of communications.
Display Widget Preview
Display Widget Preview

How SecureW2 Enables Secure VPN with Azure / Entra ID

Passwordless security for your RADIUS requires a robust framework to authenticate devices, networks, and apps strongly. Eliminate frustrating password complexity and reset employee policies on corporate networks and devices while significantly improving authentication security for Wi-Fi, VPN, Single-Sign-On, and more.

  • Native integration with Azure AD for enhanced control access control.
  • Tie user/device identity to every connection for detailed tracking and segmentation.
  • Avoid unauthorized users/devices from accessing the network.
  • Divide your network into smaller VLAN segments to prevent attacks on the system surface.
  • Lookup user/device status in all significant Cloud Identity Providers to authenticate them in real time; auto-revoke certificates when lookups fail.

For Wi-Fi and VPN connections, Microsoft recommends moving from MSCHAPv2-based (password) connections to certificate-based authentication such as EAP-TLS.

Gallery Image

Automatically Issue Certificates to All Your Managed Devices

With SecureW2, using digital certificates for network access control is easier than ever. Our Certificate Lifecycle Management solution extends your cloud environment, automating the certificate lifecycle based on real-time data from Azure / Entra ID.

  • Search for users/devices and easily view all their digital certificate lifecycles and authentication events in one place for easy troubleshooting and management.
  • Simple and secure, backed by HSM (Hardware Security)
  • Integrate with ease to nearly every device management system or with BYODs/unmanaged devices.
  • Enhanced integration for Microsoft Intune which allows for automatic certificate revocation.
  • Total cost of ownership (TCO) is less than a third of comparable on-premise Active Directory (AD CS) solution.
Display Widget Preview
  • Windows
  • Windows

Top-Rated Self-Service Device Onboarding for BYODs & Unmanaged Devices

Potential misconfiguration can be a huge window for human error - and a liability for your network security. Our JoinNow MultiOS onboarding application takes human error out of the equation by configuring unmanaged devices for your users. Ensure EAP-TLS is configured correctly every time.

  • Automatic device 802.1X configuration software compatible with every OS, which includes guided user flow where necessary.
  • Enables easy configuration for server certificate validation.
  • From start to finish, configuration takes only a minute or two.
  • Support for iOS, Windows, macOS, Android, ChromeOS, Linux, and Kindle.
  • Integrates natively with every major Identity Provider. Entra ID, Okta, Google, and more.

Azure Integration Guides

Policy EnforcementCertificate Enrollment

Azure AD/Entra ID VPN Certificate FAQs

What Role Do Certificates Play in Azure AD VPN Authentication?

Certificates are essential for Azure AD VPN authentication because they provide safe, scalable, and efficient access control. Unlike traditional password-based techniques, certificate-based authentication eliminates the possibility of credential theft and ensures that only authorized devices and users can access the VPN, as they cannot be stolen or transferred.

 

SecureW2’s PKI and RADIUS services can leverage the information your organization already has in Azure AD/Entra ID and use that to enroll certificates and apply network access control policies for VPN authentication and access. Certificates are comprised of detailed templates that can contain customizable information from Azure AD, such as user compliance, risk score, department, email address, and more.

 

This approach encrypts and protects data, considerably lowering the risk of unauthorized access and improving the overall security posture of the organization's network.

Can I Tie Azure AD/Entra ID Credentials Directly to My VPN?

You can link your Azure AD (Microsoft Entra ID) credentials to your VPN. There are plenty of modern VPN providers that enable a direct SAML integration. SecureW2’s integration is made possible by leveraging certificate-based authentication, which has attributes from Azure AD/Entra ID baked into the templates used by the certificates.

 

SecureW2’s PKI can leverage information from your Azure AD/Entra ID environment to issue and maintain certificates that authenticate devices connecting to your VPN. This configuration guarantees that only devices with valid certificates and Azure AD credentials may connect to the VPN, resulting in a secure and simplified authentication procedure.

 

Please note that this applies specifically to VPNs that support certificate-based authentication.

How Do I Simplify VPN Certificate Management for Azure?

SecureW2’s managed PKI service makes distributing and managing certificates for VPN authentication simple. However, just how the process works depends on whether you are distributing certificates to devices managed by an MDM such as Intune or unmanaged devices/BYODs.

 

For managed devices, our API Gateways check a device’s status every 10 minutes, and can automatically revoke or renew certificates based on their status. Our PKI as a service also includes customizable policies you can create, such as non-utilization, which means certificates that aren’t used for a definable period of time (such as 60 days) are automatically revoked.

How Do You Distribute Certificates for Managed Devices vs. BYOD/Unmanaged Devices?

With devices managed by MDMs such as Intune, we offer class-leading API Gateways that support SCEP, Dynamic SCEP, OAuth, ACME, JSON, and much more. These gateways constantly scan sources like Intune, Jamf, or Crowdstrike to make sure that devices are low-risk and compliant, so a certificate doesn’t still exist on a device that was forgotten about or stolen.

 

For BYODs, SecureW2’s JoinNow onboarding solution is the highest-rated self-service certificate enrollment solution available in the market, beating Cisco and HPE. This is how users get certificates using their Azure AD credentials. MultiOS makes certificates easy by guiding users through registration and ensuring safe certificate issuance and configuration without IT intervention. This solution strikes a compromise between security and user comfort, speeding certificate distribution for devices with all major operating systems.

How Does Your PKI Integrate with Azure AD/Entra ID?

Our PKI allows administrators to leverage the information they already have in Azure AD/Entra ID by encoding customizable attributes on certificates. Because those certificates cannot be transferred to another device, it gives administrators the utmost certainty that each device connecting to your VPN is supposed to be there.

 

Our Cloud RADIUS service integrates with Azure AD further through the process of Identity Lookup. At the time of authentication, Cloud RADIUS will verify with Azure AD directly that the user or device exists in your directory. As a result, only the most current access policies are applied to users and devices trying to access your VPN, even if you haven’t revoked their certificates yet. This is perfect for changes that might occur suddenly, such as an employee leaving the organization or changes in departments.

Why Can’t I Just Use Microsoft Cloud PKI for VPN Gateway Certificates?

Using Microsoft Cloud PKI for VPN certificates has restrictions that may not suit all organizational requirements. While Microsoft Cloud PKI provides basic certificate services, it lacks the sophisticated functionality and flexibility needed for full VPN administration. One major restriction is its integration capability. Microsoft Cloud PKI may not connect effectively with non-Microsoft systems or provide the granular control required for various network configurations.

 

SecureW2 provides more automation and user self-service choices than Microsoft Cloud PKI. SecureW2's PKI services, for example, offer automatic certificate enrollment for managed devices and a user-friendly onboarding application for BYOD or unmanaged devices, ensuring that certificates are distributed smoothly and securely.

 

Furthermore, SecureW2's PKI works natively with Azure AD, providing dynamic policy enforcement and sophisticated security features designed specifically for VPN authentication. Third-party PKI systems, such as SecureW2, are a more comprehensive option for VPN certificates due to their flexibility, integration, and user-centric features.

Does this Work with Azure VPN Gateway?

No, it does not. The JoinNow solution verifies Entra ID users and issues secure digital certificates for VPN authentication. However, these certificates are not compatible with an Azure VPN Gateway. SecureW2 VPN solutions use credential-based authentication rather than certificate authentication. While we may provide certificates for VPN authentication, we do not suggest SecureW2 CloudRADIUS for this reason. Using our managed PKI and Cloud RADIUS services, you may improve security and expedite authentication operations. This setup provides a secure, user-friendly VPN login experience while preserving robust network access control and visibility. Integration with current Azure AD and Intune setups allows a more efficient deployment and maintenance strategy for your network's security requirements.

Does this Work with the Azure VPN Client?

No, this is incompatible with the Azure VPN Client. The JoinNow solution aims to validate Entra ID users and give secure digital certificates for VPN authentication. However, these certificates are not compatible with the Azure VPN Client. SecureW2 VPN solutions do not employ passwordless authentication but rather credential-based authentication. Instead, these certificates work with other VPN systems that use certificate-based authentication. Using our managed PKI and Cloud RADIUS services, you can improve security and streamline authentication procedures, providing a safe and user-friendly VPN login experience while retaining robust network access control and visibility.

What’s the Difference Between the Azure Virtual Network Gateway and a Traditional VPN?

The Azure Virtual Network Gateway and traditional VPN enable secure network connections, but their operations and functionalities differ. The Azure Virtual Network Gateway is a cloud-based solution that connects on-premises networks to Azure using secure tunnels. It integrates well with other Azure services, making it an excellent choice for optimizing cloud deployments and hybrid cloud solutions. Scalability is one of its main advantages since it can easily manage significant traffic. Furthermore, being managed by Microsoft eliminates the need for customers to worry about on-premises hardware and maintenance, simplifying network administration and upkeep.

 

A traditional VPN, on the other hand, is often hosted on-premises or by a third-party provider. It requires real or virtual VPN hardware to manage the connections, which might complicate the setup and maintenance procedures. This VPN gives you complete control over the network setup, allowing unique settings and adherence to specified security regulations. Traditional VPNs often provide secure remote access and site-to-site communications between many sites. While they offer more flexibility and customization possibilities, they also need more effort in hardware, software, and network settings.

Does this Improve VPN Security in an Azure Virtual Network Environment?

Our managed PKI platform allows your organization to issue certificates to your end-users based on attributes in Azure AD/Entra ID. These certificates may then be used to authenticate to all major VPNs, increasing flexibility and security. Because they cannot be stolen or transferred to other devices, certificates ensure that only authorized users and devices can access your virtual network gateway.

 

Cloud RADIUS works in tandem with our PKI to offer passwordless authentication, eliminating the risks associated with conventional passwords. Cloud RADIUS's direct connection with Azure AD provides smooth policy enforcement and real-time user verification, boosting network security.

Schedule a Demo

Sign up for a quick demonstration and see how SecureW2 can make your organization simpler, faster, and more secure.

Schedule Now

Pricing Information

Our solutions scale to fit you. We have affordable options for organizations of any size. Click here to see our pricing.

Check Pricing