Title: Azure VPN Gateway Point-to-Site with Entra ID Authentication – Token Acquisition Error

Question

Title: Azure VPN Gateway Point-to-Site with Entra ID Authentication – Token Acquisition Error

Abdelrhman Goma 75

Screenshot from 2025-07-31 17-31-49.png

I’m setting up an Azure VPN Gateway with Point-to-Site (P2S) configuration to allow private access to our resources. I’ve configured it to use Microsoft Entra ID for authentication.

However, when I try to connect using the Azure VPN Client, the connection fails with the following error:Failure in acquiring Microsoft Entra Token:

Provider Error 3399614468: AADSTS650057: Invalid resource.

The client has requested access to a resource which is not listed in the requested permissions

in the client's application registration.

Client app ID: 632b3df-fb67-4d84-bdcf-b95ad541b5c8 (Azure VPN)

Resource value from request: 7a579821-9890-40f9-a758-c26c12d8cbc2.

Resource app ID: 7a579821-9890-40f9-a758-c26c12d8cbc2.

List of valid resources from app registration:

Trace ID: 6042eee5-2229-4ed5-8ea4-2dd92a751600

Correlation ID: 666f2edf-4944-467f-b832-109644394c36

Timestamp: 2025-07-31T14:12:31Z
What I’ve done so far:

Configured VPN Gateway and created P2S profile

Set authentication type to Microsoft Entra ID

Imported the profile into Azure VPN Client

Ensured users are granted access to the VPN

I suspect the issue is related to API permissions or app registration configuration for the Azure VPN client but I’m not sure how to properly fix it.

Question: How can I resolve this error and successfully connect to the Azure VPN Gateway using Entra ID authentication? Are there specific permissions or resource IDs that need to be configured in the app registration for P2S VPN?

Praveen Bandaru 6,850 Reputation points Microsoft External Staff Moderator

2025-08-04T02:25:20.96+00:00

Hello Abdelrhman Goma

I just wanted to follow up and see if you had a chance to review my response to your question. Please let us know if it was helpful, and feel free to reach out if you have any further queries.

Hope the above answer helps! Please let us know do you have any further queries.

Please do not forget to "up-vote” wherever the information provided helps you, this can be beneficial to other community members.
Praveen Bandaru 6,850 Reputation points Microsoft External Staff Moderator

2025-08-05T01:01:09.6566667+00:00

Hello Abdelrhman Goma

I just wanted to follow up and see if you had a chance to review my response to your question. Please let us know if it was helpful, and feel free to reach out if you have any further queries.

Hope the above answer helps! Please let us know do you have any further queries.

Please do not forget to "up-vote” wherever the information provided helps you, this can be beneficial to other community members.

Accepted answer

0 additional answers

Your answer

Praveen Bandaru 6,850 Reputation points Microsoft External Staff Moderator

2025-08-04T02:25:20.96+00:00

Hello Abdelrhman Goma

I just wanted to follow up and see if you had a chance to review my response to your question. Please let us know if it was helpful, and feel free to reach out if you have any further queries.

Hope the above answer helps! Please let us know do you have any further queries.

Please do not forget to "up-vote” wherever the information provided helps you, this can be beneficial to other community members.
Praveen Bandaru 6,850 Reputation points Microsoft External Staff Moderator

2025-08-05T01:01:09.6566667+00:00

Hello Abdelrhman Goma

I just wanted to follow up and see if you had a chance to review my response to your question. Please let us know if it was helpful, and feel free to reach out if you have any further queries.

Hope the above answer helps! Please let us know do you have any further queries.

Please do not forget to "up-vote” wherever the information provided helps you, this can be beneficial to other community members.

Answer 1

Praveen Bandaru 6,850 Microsoft External Staff Moderator

Hello Abdelrhman Goma

I understand that you are facing point-to-site connection issue.
The error message you're seeing—AADSTS650057: Invalid resource—usually occurs when there's a mismatch between the Audience (resource ID) set in the VPN Gateway configuration and the permissions assigned to the Azure VPN Client app registration in Microsoft Entra ID. This means that the resource, if it exists, hasn't been set up in the tenant. The application should guide the user with steps for installing the app and adding it to Microsoft Entra ID. In development, this often points to a misconfigured test tenant or a typo in the requested scope name.

Check the reference document: https://learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes#handling-error-codes-in-your-application

The Azure VPN Client is attempting to access a resource value that isn't covered by the app registration's permissions. This may happen if:

A custom app registration is being used with the Azure VPN Client.
The Audience value set in the VPN Gateway configuration doesn't match the app registration's resource ID.
The app registration lacks the necessary API permissions.

You can follow the below steps to resolve your issue:

Microsoft now offers a pre-registered app for the Azure VPN Client, making configuration easier and eliminating the need for manual app registration.

App ID (Client ID): 41b23e61-6c1e-4545-b367-cd054e0ed4b4
Audience value: Use the same App ID as above

Please update your VPN Gateway configuration to set this App ID as the Audience. Make sure that the Audience value in the VPN Gateway is the same as the App ID of your custom app.

Check the below public document:

https://stackoverflow.com/questions/76409348/how-can-i-troubleshoot-the-aadsts650057-error-when-setting-up-vpn-client-connect

https://learn.microsoft.com/en-us/azure/vpn-gateway/openvpn-azure-ad-tenant#enable-authentication

https://learn.microsoft.com/en-us/azure/vpn-gateway/point-to-site-entra-users-access

Authorizing the Microsoft-registered Azure VPN Client app allows it to sign in and access user profile information. After that update the VPN gateway configuration

Once you have updated, please download the VPN client profile again and re-import it into the Azure VPN Client.

Hope the above answer helps! Please let us know do you have any further queries.

Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

Abdelrhman Goma 75 Reputation points

2025-08-05T09:28:46.1333333+00:00

Hello [Praveen Bandaru],

Thank you very much for your detailed explanation and for providing the references—it was really helpful in understanding the issue. I’ll follow your recommendations and update the VPN Gateway configuration with the Microsoft-registered Azure VPN Client App ID.

I have one last question: We’re currently using SKU VpnGw1 deployed in UAE North, while most of our Azure resources are in UK South. Our team is fully remote (22 users across Poland, Egypt, and Pakistan), and there are no on-premises resources.

Before deployment, the estimated cost for the VPN Gateway showed around $138/month, but after deploying it, we’re seeing costs closer to $340/month. Could you please help me understand why there’s such a difference between the estimated and actual cost?

Thanks again for your support!

Best regards, Abdelrhman Goma
Praveen Bandaru 6,850 Reputation points Microsoft External Staff Moderator

2025-08-05T10:56:32.7866667+00:00

Hello Abdelrhman Goma
Thank you for your response. Regarding your cost question, the VPN Gateway has a fixed price; however, data transfer costs are not included in the base estimate provided by the pricing calculator.

Inbound data traffic to Azure is free, while outbound data is charged according to the volume and the destination region. And your users are located remotely in Poland, Egypt, and Pakistan, and they access resources in UK South through a gateway in UAE North, outbound data transfers from UAE North to these regions may incur significant costs.

Check bandwidth usage in the Azure portal by going to Cost Analysis and Metrics.

Check the below pricing document for more understanding:
VPN Gateway pricing

Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

If you have any other questions or are still running into more issues, let me know in the "comments" and I would be happy to help you.
Abdelrhman Goma 75 Reputation points

2025-08-05T11:13:07.1+00:00

Hello [Praveen Bandaru],

Thank you for clarifying the data transfer aspect and for sharing the pricing documentation.

I just want to add that we’re currently only testing the VPN Gateway, and there hasn’t been any significant outbound data transfer yet. However, even with this minimal usage, the actual monthly cost is already showing over $300, whereas the Azure Pricing Calculator estimated only around $138/month for the same configuration (VpnGw1 in UAE North with 22 users).

Could you please help me understand why there’s such a large discrepancy between the calculator estimate and the actual cost during this testing phase?

Thank you again for your continued support!

Best regards, Abdelrhman Goma
Praveen Bandaru 6,850 Reputation points Microsoft External Staff Moderator

2025-08-06T01:01:19.45+00:00

Hello Abdelrhman Goma
Thank you for your response. I have initiated a private message please share the required information there so we can connect and discuss on your further quires.
Abdelrhman Goma 75 Reputation points

2025-08-06T10:50:58.1733333+00:00

Hello Praveen,

Thank you for taking the time to speak with me today and for your support in troubleshooting the issue. I really appreciate your guidance and help.

Best regards, Abdelrhman Goma

Share via

Title: Azure VPN Gateway Point-to-Site with Entra ID Authentication – Token Acquisition Error

0 additional answers

Your answer