Technical Articles
F5 SMEs share good practice.
Showing results for 
Search instead for 
Did you mean: 
F5 Employee
F5 Employee

One of the most interesting parts of my job is answering questions.  Mind you, these questions aren’t the usual meaningless ones like, “Hey Greg, is a Roth IRA right for me?” or “What’s the meaning of life?”.  Oh no, no , no; we’re talking the real heavy ones like, “How can I use the BIG-IP to connect my Azure and AWS environments together?” and “What’s this thing called Azure Stack and why do I care?”.

“Why is this so interesting to me?”, you may ask. 

Well, for starters, thanks for asking.  I like questions like these because they provide insight into how our enterprise customers make use of F5 products and technology in general.  Even more so, they give me a great reason to play in the lab.  However, probably the biggest reason I like BIG-IP questions is that is gives me an excuse for a new blog series.  So, welcome to the first entry in a series I like to call  “How I Did It”.

Throughout this series we’ll take a customer request/challenge and implement a solution using our hybrid demonstration lab,  Now, let me reiterate, the series is entitled, “How I Did it”.  No doubt, there’s more than one way to get to a working solution. This is merely, well…how I did it.

Integrating Azure MFA with the BIG-IP Access Policy Manager


Here’s our question.  “Can you integrate Azure MFA with a F5 Access Policy Manger, (APM) access policy?”  The short answer is yes.  The long answer is yes.  Don’t let the illustration below fool you; it’s actually a relatively simple process to enhance your access security with Azure MFA, (multi-factor authentication).  Azure MFA extends authentication by requiring users to authenticate via a mobile app, automated phone call, or text message.  For example, (see below), with our implementation:



    1.  The user provides their credentials to the Azure-hosted BIG-IP w/APM and is pre-authenticated to Active Directory;

    2.  Upon successful AD validation, the BIG-IP will callout to Azure MFA server farm VIP, (published via on-premises BIG-IP Radius virtual server and connected to via IPsec tunnel);

    3.  The on-premises MFA server calls out to the Azure MFA service which performs multi-factor authentication utilizing one of the aforementioned methods.  The response is sent back to the Azure MFA server;

    4.  The authentication status is returned to the APM service; and if successful

    5.  The user is granted access to the backend Azure resource, (web application in this instance).

    Making it Work

    We’ll use the remainder of this post to walkthrough modifications to a basic APM access policy enabling Azure MFA integration.  The environment I am working with is illustrated above.  Since I’m retrofitting MFA into my existing environment, the BIG-IP is currently configured with an APM access profile and associated policy.  For information on configuring Access Policy Manager checkout  Additionally, I have already subscribed to Azure MFA account and deployed my Azure MFA servers.  You can refer to Microsoft’s documentation for information on setting up an Azure MFA subscription.  Oh…, one more thing; I’m using an Azure-hosted BIG-IP with  TMOS ver. 12.0.x.  So with that out of the way let’s do this.

    Create Radius AAA Server Object

    1.  From the management GUI, I select Access Policy | AAA Servers | ‘+’ next to RADIUS to create a new Radius AAA server object.  This object will be referenced in my APM access policy.



    2. I provide the required connectivity information, (shown at right).  This information needs to match the Azure MFA server settings, (see below).  I am using a BIG-IP virtual to publish my MFA server farm and will enter the virtual server’s address. 

    You’ll notice for added security, I am restricting access to the MFA server to a single client.  The address entered corresponds to the on-premises BIG-IP’s internal facing IP address.




    Edit the Current Access Policy

    1.  From the management GUI, I select Access Policy | Access Profiles | Edit on Access Policy to open the virtual policy editor.



    2.  The current access policy is shown at right.  As you can see, the policy is relatively basic.  The user is presented with a Logon Page and provides his/her credentials.  The credentials are then used to authenticate the user with Active Directory.




    3.  Integrating Azure MFA into the policy is simply a matter of adding in a Radius authentication object into the access policy flow. I select  ‘+’ to the right of the AD Auth object | From the item menu I select the Authentication tab | I select the Radius Auth radial button | Add Item




    4.  I provide a name for the auth object and select the previously created Radius AAA server object | I select Save to add the new object into the access flow.





    Voila!  I’ve added Azure MFA to our application’s APM access policy.  Now, the user is:

    1. Presented with a Logon Page and provides his/her credentials

    2. The credentials are then used to authenticate the user with Active Directory.

    3. The provided credentials are passed to the Azure MFA server which in-turn connects to the Azure MFA service, (via HTTPS).  The Azure MFA service performs multi-factor authentication and passes the result back to the Azure MFA server.   



    Azure MFA and the BIG-IP in Action

    Ok.. so that’s it.  Pretty easy huh?  So how does this work from a user’s perspective.  Well, let’s take a look.  Here is a link to a video showing the user-logon experience. 

    The APM policy, (see right) has been slightly enhanced from the above configuration.  The user now has the option of utilizing a client certificate or Azure MFA for the second factor authentication method.  Pretty Cool!




    Additional Links:

    Azure Multi-Factor Authentication Documentation

    F5 BIG-IP Access Policy Manager Resources and Support

    The BIG-IP Platform and Microsoft Azure





    Great article!


    Quick question, what if i want APM to make a decision on what to use? Call or text ? etc. ??



    Where in this process does the user interact with Azure MFA options? They'll need to enter characters in some way - Is this in the step just after the multifactor auth box? User chooses azure mfa and they're then presented with a web page?


    The youtube link is bad.



    Hi, We are trying to implement Azure MFA for Citrix using F5 APM, we are using APM Dynamic webtop for citrix XML broker, per document link below. My question: Is the configuration (Radius Authentication for Azure MFA) supported for Citrix receiver and ios or just web clients? How are you using your setup, can you please elaborate?


    Reference: Thank you!



    I believe this is the correct YouTube video




    Hi all. Any thoughts as to how we can configure a health monitor or similar to ensure new requests aren't sent to an MFA server that's not processing properly? For example, the server is up and accessible, but it cannot reach the MFA service.



    Is that possible for APM to interact with the default Method authentication selected by the user in the Azure Portal. Let the user choose his authentication method: Phone, SMS, or Mobile App from an option in the logon page ?



    Hi all, Can someone help to show me the way to enable MFA button and get OTP message like the video?



    HI all,


    Can you enable MS MFA by each application? e.g. if I can add SAP servers/systems for enabling MFA for finance users, and for the same users they won't be asked for 2nd factor authentication when they access to internal training system.


    Currently our setup is putting every applications behind of VPN and put MFA in the front of VPN, but what we want to do is enable MFA by each application.


    is it capable with MS MFA? looks like it doesn't have very granular control - e.g. Azure AD doesn't support AD groups.


    i'm not a technical person and i'm not sure if I explained it well enough.


    • The video link is not longer working
    • How do users configure their mobile number and MFA method?

    I want to use Microsoft RADIUS as per


    Is PAP supported, I can't see this referenced above? "PAP supports all the authentication methods of Azure MFA in the cloud: phone call, one-way text message, mobile app notification, and mobile app verification code."



    Dear Greg


    i have read your article. its gr8. but can u please also post all APM policy in details. and if u can also upload the video how to configure the MFA Server on premises for authentication



    Hi Greg,


    Nice post, thanks.


    Have you had a chance to configure the View iApp against the Windows Server 2016 Network Policy and Access Services server role and the Azure MFA NPS extension? I'd love to see a post on that.






    Thanks for this article! this talks about integrating Azure MFA "Server" is there a similar effort done to integrate Azure MFA Service with f5.





    Hi Greg,


    Can I use F5 VIP as direct option ?


    Ex : F5 VIP configured on Port 1812 and it is load balancing two mfa servers on port 1812.


    F5 Employee
    F5 Employee

    *Updated Video Link =


    Great post Greg!

    tthere a way to show the user that the Mfa is progressing other than the Web page going to a quasi loading state (MS gives an indication that the sign on is waiting for the MFA to complete on their properties,) assuming that there may be a way to do this at the radius request stage.

    As always, you can explain the intricacies of the APM with elegance in a succinct way! Great post!

    Version history
    Last update:
    ‎22-Apr-2016 10:51
    Updated by: