Hi team, has anyone tested Microsoft Authenticator with F5 APM for 2FA?
Lot of articles are there for google Authenticator, but none for Microsoft Authenticator, pls let me know or point me in right direction if anyone has ever tested it??
Can I use Microsoft Authenticator (SmartPhone MS-Authenticator-APP) with a kind of Challenge Response. Because I will not ask for the Token within my APM-Logon-Page. User should only do "accept the Authentication with the MS-Authenticator APP".
I have the same requirement, using AzureMFA (Challenge Response) with APM.
One solution that works is to use MS NPS Server with AzureMFA Plugin. You can authenticate with AD / Kerberos / LDAP to your local domain on APM and then request MFA with username (password can be empty) via Radius to the NPS.
I'm unhappy with that solution cause I can't provide any feedback to the user. As soon as I trigger the Radius Request in APM, the page waits in "Loading" state. A solution with better user experience would be nice.
Now I have the Solution with Microsoft NPS implemented and it works with the Microsoft Authenticator APP. It's important to setup the right options in Azure for the users to use the Authenticator APP. You can configure inside the azure-user-accounts how the requests from the OnPremis-NPS (Radius) will be handled. So you can use "enable", "disable" and "restrict". And the user have to configure his own Microsoft Authenticator APP during the initial installation and setup process. The user sccount in active directory (OnPrem) have to setup for remote access and the NPS-options (setting inside the AD-user-account). Your F5-APM-Policy should have a Radius-Auth after the AD-Auth. The Radius-Auth connects the OnPrem-Radius (NPS). And on the NPS your have to configure a Policy for the F5-Access as a radius-client (don't forget to configure a NAS-ID, e.g.) and a Policy for the radius-flow.
I use https://docs.microsoft.com/de-de/azure/active-directory/authentication/ for MFA-Setup in Azure.
You could setup your BIG-IP as an IDP for microsoft Azure. And as an SP for the App. Create the application plus authentication (Azure MFA with SAML, BIG-IP is the IdP for the Azure authentication, Azure will handle the 2nd factor via the app).
Once you have that up and running point your SP to the Azure IdP.
I think the Horizon client does support SAML, have a look at this example. So I think that with the BIG-IPO being both IdP and SP (global context) you should be able to perform SSO and use MS authenticator.
