Radius Authentication with Microsoft NPS and Azure MFA not working

We have configured F5 with Microsoft NPS to leverage Microsoft Azure AD MFA. F5 is sending Radius authentication request to Microsoft NPS server. However NPS server error. Looks like NPS server with Azure MFA extension expecting UPN value (john.smith@mydomain.com) but radius attribute User-Name is sending sAMAccount (or session.logon.last.username). The Microsoft Azure AD MFA is expecting UPN. I don't want to use the SAML based configuration.

Q: How do we extract / search for UPN value and assign it to radius attribute User-Name. I believe UPN value can be extract with LDAP Query but how to send UPN value in the radius authentication request. Any suggestion advise.

NPS serverError:

Log Name:   AuthZOptCh

Source:    Microsoft-AzureMfa-AuthZ

Date:     4/15/2021 5:06:35 PM

Event ID:   1

Task Category: None

Level:     Information

Keywords:    

User:     NETWORK SERVICE

Computer:   123server.mydomain.com

Description:

NPS Extension for Azure MFA: CID: f6d91669-8579-4da0-8968-dfa4ea5ef928 : Request Discard for user Smith, John with Azure MFA response: InvalidParameter and message: UserPrincipalName must be in a valid format.,,,23090ad2-da92-4800-ae4c-8b59182f5fb7

F5 Radius tcpdump shows the following Radius authentication request with the sAMAccount (or session.logon.last.username) in the User-Name attribute:

RADIUS Protocol

  Code: Access-Request (1)

  Packet identifier: 0xab (171)

  Length: 74

  Authenticator: abd00d0218bc6541842a401dcfb64d52

  Attribute Value Pairs

    AVP: l=10 t=User-Name(1): johnsmith01

      User-Name: johnsmith01

    AVP: l=18 t=User-Password(2): Decrypted: Ajitkaur02@

      User-Password: xxxxxxxxx

    AVP: l=6 t=Service-Type(6): Authenticate-Only(8)

      Service-Type: Authenticate-Only (8)

    AVP: l=14 t=Tunnel-Client-Endpoint(66): 65.60.150.62

      Tunnel-Client-Endpoint: 65.60.150.62

    AVP: l=6 t=NAS-Port(5): 0

      NAS-Port: 0