I have integrated my BIG-IP APM to Azure AD using Service Provider SAML and it seems it is working well, but when user logout/disconnected to VPN and reconnect back, it is no longer asking for the MS Authenticator PIN.
Is there a way to destroy the authentication session on the Azure AD on our APM?
I used to do this with an LB_DETACH in an iRule against my LDAP servers. Not sure it would work here. You have APM logs from these sessions? Try a logout on a test VIP, identical to this one (standby units are great for this sort of thing, btw, so as to not interrupt prod traffic), jack up the logging on it and see what it tells you about your individual logout.
I have managed to make it to work using a force authentication (Enabled). The challenge here is that users keeps on entering the username and password + MS Authenticator PIN every time user login to VPN.
Is there a way, that I can set the Force Authentication as Use AAA Server Settings (which is a single sign on) but will still prompt for MS Authenticator?
Maybe try playing with microsoft conditional access and MFA as Azure AD is selecting when to again ask users for MFA. Maybe if this "Allow users to remember multi-factor authentication on devices" is dissabled: