Azure AD Authentication for Virtual WAN

Enable Azure Active Directory (Azure AD) authentication for your Virtual WAN hubs to provide secure, role‑based access control to your network resources.

Prerequisites

Azure subscription with contributor rights.
Virtual WAN already deployed.
Azure AD tenant with at least one user assigned the Contributor role on the Virtual WAN resource.
Azure CLI 2.45+ or PowerShell Az module 9.0+ installed.

Enable Azure AD Authentication

Azure CLI

PowerShell

Portal

# Log in
az login

# Set variables
RESOURCE_GROUP="myResourceGroup"
WAN_NAME="myVirtualWAN"
HUB_NAME="myHub"

# Enable Azure AD auth on the hub
az network vhub update \
  --resource-group $RESOURCE_GROUP \
  --name $HUB_NAME \
  --virtual-wan $WAN_NAME \
  --azure-ad-auth-type AAD

# Verify
az network vhub show \
  --resource-group $RESOURCE_GROUP \
  --name $HUB_NAME \
  --query "azureAdAuthType"

# Connect to Azure
Connect-AzAccount

# Variables
$rg = "myResourceGroup"
$wan = "myVirtualWAN"
$hub = "myHub"

# Enable Azure AD auth on the hub
Update-AzVirtualHub -ResourceGroupName $rg `
    -Name $hub `
    -VirtualWan $wan `
    -AzureAdAuthType "AAD"

# Verify
Get-AzVirtualHub -ResourceGroupName $rg -Name $hub |
    Select-Object -ExpandProperty AzureAdAuthType

1. Open the Azure portal and navigate to your Virtual WAN.

2. Select **Hubs**, then choose the hub you want to configure.

3. In the hub blade, click **Authentication** under Settings.

4. Switch **Azure AD authentication** to Enabled and click **Save**.

5. Verify the status shows Enabled on the hub overview page.

Assigning Roles

After Azure AD authentication is enabled, assign roles to users or groups using Azure RBAC.

# Example: Assign Virtual Network Contributor role to a user
az role assignment create \
  --assignee user@contoso.com \
  --role "Virtual Network Contributor" \
  --scope /subscriptions//resourceGroups/$RESOURCE_GROUP/providers/Microsoft.Network/virtualWans/$WAN_NAME

Common Issues

Authentication fails with 403 error

Ensure the user has been granted a role that includes Microsoft.Network/virtualWans/* permissions. Verify the AzureAdAuthType property is set to AAD on the hub.

CLI returns “Invalid argument” for --azure-ad-auth-type

Update Azure CLI to the latest version. The --azure-ad-auth-type flag was introduced in version 2.45.

Portal UI does not show Authentication option

Refresh the portal page or clear your browser cache. The feature is only available for Virtual WAN hubs created after the 2023‑09 release.

Azure AD Authentication for Virtual WAN

Prerequisites

Enable Azure AD Authentication

Assigning Roles

Common Issues

References