I’m trying to configure a site‑to‑site VPN between Azure Virtual Network and an on‑prem Windows Server 2019 AD DS. After setting up the Azure VPN gateway and the on‑prem VPN device, I can establish the tunnel, but users can’t authenticate to Azure AD when connecting from the corporate LAN. Any ideas on required routes or DNS settings?
TechGuru
Sep 14, 2025 10:07 AM
Make sure you’ve enabled split‑tunneling on the Azure VPN client profile so that traffic destined for Azure AD endpoints (e.g., login.microsoftonline.com) is routed through the tunnel. Also, add the Azure AD DNS suffix (***.onmicrosoft.com) to your on‑prem DNS forwarders.
NetworkAdmin
Sep 14, 2025 11:15 AM
I ran `tracert login.microsoftonline.com` and it goes out the regular Internet interface, not the VPN. Adding the following route fixed it:
```
route add 13.107.0.0 mask 255.255.0.0 metric 1
```
Replace the network with the IP ranges listed in Microsoft’s Azure IP list.