How can I troubleshoot the AADSTS650057 error when setting up VPN client connection with Azure AD?

Need help with VPN client error despite configuring permissions correctly (AADSTS650057)

I have been trying to set up a VPN client connection to my Azure Virtual Network (VNet) using Azure Active Directory (Azure AD) for authentication. However, I keep encountering an error (AADSTS650057) stating that the client requested access to a resource which is not listed on the requested permissions in the client app registration. Here's a breakdown of what I have done:

Configured API permissions: I have selected the appropriate API permissions, including "user_impersonation" for Azure Service Management, and granted admin consent. I have followed the documentation and made sure the permissions are properly set up.

Azure AD app registration: I have registered a client application in Azure AD and configured it with the necessary permissions and redirect URIs. I have ensured that the app registration matches the permissions requested in the VPN client configuration.

Checked Azure AD configuration: I have verified that the Azure AD configuration, including the tenant ID and AAD Issuer, is accurately configured in the VPN client and matches the settings in my Azure AD tenant.

Despite these steps, I am still encountering the AADSTS650057 error, which indicates that the requested resource is not listed in the permissions granted to the client app registration.

Has anyone else faced a similar issue with VPN client connectivity using Azure AD authentication? What additional troubleshooting steps can I take to resolve this error and establish a successful VPN connection?

Any insights, suggestions, or guidance would be greatly appreciated. Thank you in advance for your help!

I tried the same in my environment, selected API permissions user_impersonation for Azure Service Management, and granted admin consent like below:

To set up a VPN client connection to my Azure Virtual Network (VNet) using Azure Active Directory (Azure AD) for authentication created virtual network gateway like below:

Tenant: https://login.microsoftonline.com/{AzureAD TenantID}

Audience: 41b23e61-6c1e-4545-b367-cd054e0ed4b4

Issuer: https://sts.windows.net/{AzureADTenantID}/

Then, Save and download VPN client file.

To Authorize the application, use this URL in browser login with global access account and grant admin consent for your organization. It allows the Azure VPN application to log in and read user profiles.

https://login.microsoftonline.com/common/oauth2/authorize?client_id=41b23e61-6c1e-4545-b367-cd054e0ed4b4&response_type=code&redirect_uri=https://portal.azure.com&nonce=1234&prompt=admin_consent

Install Azure VPN client Extract the downloaded zip file import the azurevpnconfig.xml file and VPN client is connected successfully like below:

If still the error occurs, check that you have provided valid Audience and URL.