![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(12.8, 25%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMA%3C/text%3E%3C/svg%3E)
Hi, with Azure P2S (Sign In authentication), removing a user from the group/app doesn't close the VPN or invalidate any tokens already issued: the session remains valid until the token expires. To minimize this window: set a short sign-in frequency (e.g., 30–60 minutes) in Conditional Access for the Azure VPN app so the tunnel requires frequent re-auths; when you remove the user (or the PIM assignment expires), run Revoke sign-in sessions on the user profile to immediately invalidate token refreshes; if immediate blocking is needed, disable the user or rotate the VPN profile's secrets/issuers and redeploy it (breaks everyone). Automate the flow (remove group → revokeSignInSessions) with Logic App/Function. The result: no client-side profile deletion prompts and almost immediate access revocation.
Azure P2S VPN (Entra Authentication) | Doesn't revoke access once removed from Azure VPN Group Access
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(0, 65%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESW%3C/text%3E%3C/svg%3E)
Syed Wasil Abidi
40
Reputation points
Hi Team,
I have observed a limitation (by design) in how user assignments work with Enterprise Applications (in this case, a VPN Client App).
Currently:
- When a user is assigned to the Enterprise Application, they are able to connect successfully using the VPN Client.
- However, when the user is later removed from the Enterprise App or its assignment group, their existing token/access is not revoked. The user can still access the VPN unless they manually remove the VPN profile/configuration from their local client.
In our scenario, users are assigned/removed from the VPN Assignment Group via Privileged Identity Management (PIM). This creates both:
A security loophole (access persists even after assignment removal).
An operational overhead, since administrators must manually verify whether users have deleted the VPN profile from their local machines after each session.
Is there a recommended approach or best practice from Microsoft to enforce immediate revocation of access once a user is unassigned from the Enterprise Application (or when their PIM assignment expires)?
Thanks in advance for your guidance.