Technical Forum
Ask questions. Discover Answers.
cancel
Showing results for 
Search instead for 
Did you mean: 

Integrate Microsoft authenticator app in BIP IP APM

Yesh1923
Nimbostratus
Nimbostratus

hi 

i have F5 ssl -vpn with AD authentication ,but i need to include microsoft authentication (azure MFA app) in same ssl vpn 

can one guide me to complete this setup in f5 

7 REPLIES 7

DenisG
F5 Employee
F5 Employee

Would this article help?  It is alittle bit older but the concepts are likely the same - How I did It - “Integrating Azure MFA with the BIG... - DevCentral (f5.com)

 

hi denisg

thanks for your response , but MSFT MFA auth server is depriciated , its moved to cloud , how to i deploy below 

setup with Azure MFA mobile app for authentioncation.

Start->Logon page->AD Auth--> Successful -->  Azure MFA-> Advanced resource assign -> Allow / Deny

 

boneyard
MVP
MVP

You should be able to do it with SAML and have Azure conditional access trigger the authenticator app. In any case you need things setup in Azure AD, so you might want to drop the regular AD. If you dont have Azure AD authenticator app is a no go I believe.

https://techdocs.f5.com/en-us/bigip-15-0-0/big-ip-access-policy-manager-per-request-policies/impleme...

hi boneyar

Appreciate your response, but my requirement is that. Need to connect my F5 ssl vpn once AD authenticated – Azure MFA need to prompt azure authenticator app to connect my access’s

do we get any links to configure for below 

Start->Logon page->AD Authà Successful à Azure MFA-à Advanced resource assign à Allow / Deny

Yesh1923_0-1676907162787.png

 

 

 

No, I don't believe you are going to get what you want exactly. With my route you would do AD authentication, then do Azure AD authentication and then get the Authenticator app prompt.

With Google authenticator you are able to do something like you describe:

https://loadbalancing.se/2016/07/09/setting-up-apm-with-google-authenticator/

Microsoft authenticator doesn't work standalone like that it seems, it is tied to Azure AD.

Or you must be able to show how to trigger Microsoft Authenticator without going through Azure AD Enterprise app or that RADIUS solution.

Then it becomes a Microsoft Authenticator question first and we can look how BIG-IP can hook into that.

hi bony

am using Azure AD Enterprise app , am able to authenticate AD then it will move to next screen  microsoft ad login page for AD authention because of SAML then its askking microsoft authenticator app for approval ,

my requirement is want remove second authentication (MSFT login screen  ) , want use only MSFT aunthenticator app to connect my F5 SSL VPN 

Yesh1923_0-1677048398068.png

can you guide me how to remove microsft login screen , want use only MSFT authenticator secure code to move to next screen to connect my F5 VPN 

 

 

 

I dont believe that is going to happen Microsoft authenticator is tied to your Azure AD account. So you have to identify yourself there.

It would probably wiser to ask on the Microsoft forum, they can give a 100% sure answer.