The Azure API is used for every VPN connection, disabled or deleted users in Azure cannot connect. The groups mode can be used to also validate the user groups on each connection. The certificate is sufficient for authenticating the user to the VPN server. This design is required to maintain compatibility with all OpenVPN clients. There’s several multi-factor authentication options that will provide additional authentication for connections.