Browse all topics
All guidesGlossary

Microsoft Tunnel for Intune

Microsoft Tunnel provides per-app VPN for managed mobile devices — the Intune-integrated way to access on-prem resources.

Microsoft Tunnel is a VPN solution integrated with Microsoft Intune for managed mobile devices (iOS, Android, Windows) — providing per-app VPN that's controlled through Intune policies and identity-aware via Entra ID. It's how mobile devices access on-premises resources without a traditional client-VPN deployment.

What Tunnel provides

For mobile users with Microsoft 365 access plus a need to reach on-prem resources:

  • Per-app VPN — only specific apps route through the tunnel; everything else uses normal internet.
  • Per-user VPN — only specific user groups have access.
  • Conditional Access integration — tunnel access conditional on device compliance, location, sign-in risk.
  • Single sign-on through Entra ID.
  • TLS-based — modern VPN, not legacy IPsec.

Two flavours

Microsoft Tunnel (MDM-based)

For Intune-enrolled managed mobile devices. The Tunnel client is deployed via Intune; configuration profiles set up the VPN; access is gated by Conditional Access.

Best for corporate-owned mobile devices.

Microsoft Tunnel for MAM (Mobile Application Management)

For personal devices under Intune's MAM model — devices that aren't enrolled in MDM but have corporate apps protected by app protection policies. Tunnel for MAM provides similar VPN capability scoped to MAM-protected apps, without device enrolment.

Best for BYOD scenarios where the user keeps their device unmanaged but corporate apps need on-prem access.

Architecture

Tunnel deploys a gateway service in your network:

  • A small Linux server (often a container) acts as the gateway.
  • The gateway authenticates against Entra ID.
  • Tunnel client apps on devices connect to the gateway over TLS.
  • Traffic is routed from the gateway to internal resources.

Gateways can be deployed in HA pairs for resilience and in multiple regions for global mobile users.

Configuration

A typical setup:

  1. Deploy the Tunnel gateway on a Linux VM in your network, with appropriate firewall rules to reach internal resources.
  2. Register the gateway with Intune.
  3. Configure server settings — what subnets and DNS servers the tunnel exposes.
  4. Create VPN profile in Intune referencing the gateway.
  5. Assign the profile to user groups.
  6. Pair with Conditional Access — require Tunnel for accessing specific apps.
  7. Test with pilot users.

When Tunnel is right

  • Mobile users needing on-prem resources — internal websites, legacy line-of-business apps, file shares.
  • Field workers with corporate-owned mobile devices.
  • BYOD users with MAM needing controlled access without full device enrolment.
  • Hybrid-cloud scenarios during migration when on-prem resources still exist.

When Tunnel isn't right

  • Cloud-native deployments — apps in Azure / AWS / GCP with no on-prem dependency don't need a VPN.
  • Persistent VPN scenarios — Tunnel is per-app and per-session; for always-on VPN, look at Entra Private Access or traditional VPN.
  • Linux mobile — not supported (it's iOS, Android, Windows for now).
  • Non-Intune-managed devices — Tunnel requires Intune as the management surface.

Relationship to Entra Private Access

Entra Private Access (part of Global Secure Access) overlaps with Tunnel — both publish private apps to remote users. The difference:

  • Tunnel — Intune-managed mobile devices, classic VPN model.
  • Entra Private Access — any device, any platform, identity-aware modern model.

For Microsoft 365 customers building toward zero-trust networking, Entra Private Access is the strategic direction. Tunnel remains useful for tactical mobile-VPN scenarios in the meantime.

Licensing

Microsoft Tunnel is part of the Intune Suite add-on or licensed standalone. Tunnel for MAM is licensed similarly but with MAM-specific pricing.

For Intune-managed mobile estates with significant on-prem dependencies, Tunnel is a clean way to bridge mobile-to-on-prem without legacy MDM-VPN tooling. For cloud-native estates, it's increasingly unnecessary.