Azure Multi-Factor Authentication



Multi-Factor Authentication (MFA) is a method of authentication that requires the use of more than one verification method and adds a critical second layer of security to user sign-ins and transactions. It works by requiring any two or more of the following verification methods:

  • Something you know (typically a password)
  • Something you have (a trusted device that is not easily duplicated, like a phone)
  • Something you are (biometrics)

Azure MFA is a method of verifying who you are that requires the use of more than just a username and password. It provides a second layer of security to user sign-ins and transactions.

Azure MFA helps safeguard access to data and applications while meeting user demand for a simple sign-in process. It delivers strong authentication with a range of easy verification options – phone call, text message or mobile app notification – allowing users to choose the method they prefer.

Azure MFA is an easy to use, scalable and reliable solution that provides a second method of authentication so your users are always protected.

The security of multi-factor authentication lies in its layered approach. Comprising multiple authentication factors presents a significant challenge for attackers. Even if an attacker manages to learn the user’s password, it is useless without also having possession of the trusted device. Should the user lose the device, the person who finds it will not be able to use it unless they also know the user’s password.

1.1Document Purpose

This document provides step-by-step instructions on how to configure Azure, the MFA server and the KEMP LoadMaster in order to provide multi-factor authentication.

This document uses an Exchange environment as an example scenario.

1.2Intended Audience

This document is intended to be used by anyone interested in finding out more about using Azure MFA with the KEMP LoadaMaster.

2Configure Azure Multi-Factor Authentication

Follow the steps in the sections below to configure Azure multi-factor authentication and the KEMP LoadMaster.

2.1Create a Multi-Factor Authentication Provider in Azure

Follow the steps below to create a new multi-factor authentication provider in Azure:

  1. Log in to the Azure portal (classic).

Figure 2‑1: QUICK CREATE

  1. Select NEW.
  3. Select QUICK CREATE.

Figure 2‑2: CREATE

  1. Enter a NAME for the authentication provider.
  2. Select the USAGE MODEL.
  4. Leave DIRECTORY as the default value.
  5. Click CREATE.


  1. Once created, select your multi-factor authentication provider and click MANAGE.
  2. Select CONFIGURE on the left.

Figure 2‑4: Configure Settings

  1. Various options can be configured on this screen, such as:

The phone number you would like to display when the “phone call” is used as the second factor

Timeout settings

Enable/disable features

Figure 2‑5: Server

  1. Click Server underneath the DOWNLOADS section on the left.
  2. Download the Multi-Factor Authentication Server which will be run in your on-premises data center.

Do not click Generate Activation Credentials until you have installed the server on premises and are ready to activate the install. The Activation Credentials are only valid for 10 minutes, at which time you would be required to obtain new credentials.

2.2Install the Multi-Factor Authentication Server on Premises

The MFA server must be a member of the on-premises Active Directory domain. After downloading the MFA server, install it on premises. When prompted, generate the Activation Credentials and enter them in the provided field.

Follow the steps below:

  1. Launch the Multi-Factor Authentication Server console.
  1. Select Users.
  2. Click Import from Active Directory.

Figure 2‑6: Import

  1. Navigate to the Active Directory Organization Unit you want to import and click Import.

Figure 2‑7: Edit User

  1. Once imported, you can select a user to set authentication methods, etc.

2.3Add the LoadMaster as a RADIUS Client

Follow the steps below to add the LoadMaster as a RADIUS client:

  1. Select RADIUS Authentication within the Azure Multi-Factor Server.

Figure 2‑8: RADIUS Authentication

  1. Select the Enable RADIUS authentication check box.
  2. Click Add.

Figure 2‑9: Add RADIUS Client

  1. Enter the IP address of the LoadMaster in the IP address text box.
  2. Enter an Application name.
  3. Enter a new Shared secret password and confirm it in the text boxes provided.
  4. Select the Require Multi-Factor Authentication user match check box.

2.4Configure the LoadMaster

Follow the steps in the sub-sections below to configure the LoadMaster.

2.4.1Increase the L7 Authentication Timeout

The L7 Authentication Timeout should be increased in order to provide enough time for the following actions to occur:

  • The user enters their credentials
  • Azure MFA communicates with the service in the cloud
  • The service in the cloud sends the authentication to the user’s phone (via app or phone call)

To increase the L7 Authentication Timeout, follow the steps below:

  1. In the main menu of the LoadMaster WUI, go to System Configuration > Miscellaneous Options > L7 Configuration.

Figure 2‑10: L7 Authentication Timeout

  1. Enter the L7 Authentication Timeout and click Set Timeout.

KEMP recommends 300 seconds but this can be adjusted as needed to meet requirements.

2.4.2Create a New SSO Domain

Follow the steps below to create a new SSO domain:

  1. In the main menu of the LoadMaster WUI, go to Virtual Services > Manage SSO.

Figure 2‑11: Add new Client Side Configuration

  1. Enter a name in the Add new Client Side Configuration text box and click Add.

Figure 2‑12: Configure the domain

  1. Select RADIUS as the Authentication Protocol.
  2. Enter the IP address of the MFA Server in the RADIUS server(s) text box and click Set RADIUS Server(s). Multiple addresses can be entered in this text box, if required.
  3. Enter the RADIUS Shared Secret,which was created in the MFA configuration earlier, and click Set Shared Secret.
  4. Enter the Domain/Realm and click Set Domain/Realm Name.

2.4.3Configure the ESP Options in the SubVSs

Our example is based on using an Exchange environment. For this example scenario, the Edge Security Pack (ESP) Options for the OWA and Authentication Proxy SubVSs need to be configured. To do this, follow the steps below:

  1. In the main menu of the LoadMaster WUI, go to Virtual Services > View/Modify Services.
  2. Click Modify on the relevant Virtual Service.
  3. Expand the ESP Options section.

Figure 2‑13: ESP Options

  1. Select Form Based as the Client Authentication Mode.
  2. Select the SSO Domain that was created in the previous section.
  3. Configure any of the other settings as needed.You may want to configure a custom SSO Image Set to inform users that MFA will be required. For further information on doing this, please refer to the Custom Authentication Form, Technical Note.
  4. Repeat the steps above to configure the other SubVS.

For further information on configuring the LoadMaster to work with Exchange, refer to the relevant Exchange Deployment Guide. For further information on ESP, refer to the ESP, Feature Description.


Unless otherwise specified, the following documents can be found at

ESP, Feature Description Custom Authentication Form, Technical Note

Document History



Reason for Change



Apr 2016

Initial draft

First draft of document



Was this article helpful?

0 out of 0 found this helpful