Kemp Support, how can we help?

The latest application delivery knowledge and expertise at your fingertips.

Azure Multi-Factor Authentication

1 Introduction

Multi-Factor Authentication (MFA) is a method of authentication that requires the use of more than one verification method and adds a critical second layer of security to user sign-ins and transactions. It works by requiring any two or more of the following verification methods:

Something you know (typically a password)

Something you have (a trusted device that is not easily duplicated, like a phone)

Something you are (biometrics)

Azure MFA is a method of verifying who you are that requires the use of more than just a username and password. It provides a second layer of security to user sign-ins and transactions.

Azure MFA helps safeguard access to data and applications while meeting user demand for a simple sign-in process. It delivers strong authentication with a range of easy verification options - phone call, text message or mobile app notification - allowing users to choose the method they prefer.

Azure MFA is an easy to use, scalable and reliable solution that provides a second method of authentication so your users are always protected.

The security of multi-factor authentication lies in its layered approach. Comprising multiple authentication factors presents a significant challenge for attackers. Even if an attacker manages to learn the user's password, it is useless without also having possession of the trusted device. Should the user lose the device, the person who finds it will not be able to use it unless they also know the user's password.

1.1 Document Purpose

This document provides step-by-step instructions on how to configure Azure, the MFA server and the Kemp LoadMaster in order to provide multi-factor authentication.

This document uses an Exchange environment as an example scenario.

1.2 Intended Audience

This document is intended to be used by anyone interested in finding out more about using Azure MFA with the Kemp LoadMaster.

1.3 Related Firmware Version

Published with LMOS version LTS. This document has not required substantial changes since LTS. However, the content is in sync with the latest LoadMaster LTS firmware.

2 Configure NPS Settings to Accept Requests from the LoadMaster

The Network Policy Server (NPS) extension for Azure Multi-Factor Authentication (MFA) adds cloud-based MFA capabilities to your authentication infrastructure using your existing servers. For more information, refer to the Integrate your existing NPS infrastructure with Azure Multi-Factor Authentication page.

You must create a RADIUS client so that the LoadMaster can authenticate. For more information, refer to the RADIUS Authentication and Authorization Technical Note.

3 Configure the LoadMaster

Follow the steps in the sub-sections below to configure the LoadMaster.

3.1 Increase the L7 Authentication Timeout

The L7 Authentication Timeout should be increased in order to provide enough time for the following actions to occur:

The user enters their credentials

Azure MFA communicates with the service in the cloud

The service in the cloud sends the authentication to the user's phone (by app or phone call)

To increase the L7 Authentication Timeout, follow the steps below:

1. In the main menu of the LoadMaster WUI, go to System Configuration > Miscellaneous Options > L7 Configuration.


2. Enter the L7 Authentication Timeout and click Set Timeout.

Kemp recommends 300 seconds but this can be adjusted as needed to meet requirements.

You can also adjust the SSO LDAP server timeout by following the steps below:

1. In the main menu of the LoadMaster WUI, go to Virtual Services > Manage SSO > Modify.


2. Configure the Public Session Timeout and click Set Idle Time.

3.2 Create a New SSO Domain

Follow the steps below to create a new SSO domain:

1. In the main menu of the LoadMaster WUI, go to Virtual Services > Manage SSO.

Create a New SSO Domain.png

2. Enter a name in the Add new Client Side Configuration text box and click Add.


3. Select RADIUS as the Authentication Protocol.

4. Enter the IP address of the MFA Server in the RADIUS server(s) text box and click Set RADIUS Server(s). Multiple addresses can be entered in this text box, if required.

5. Enter the RADIUS Shared Secret, which was created in the MFA configuration earlier, and click Set Shared Secret.

6. Enter the Domain/Realm and click Set Domain/Realm Name.

3.3 Configure the ESP Options in the SubVSs

Our example is based on using an Exchange environment. For this example scenario, the Edge Security Pack (ESP) Options for the OWA and Authentication Proxy SubVSs need to be configured. To do this, follow the steps below:

1. In the main menu of the LoadMaster WUI, go to Virtual Services > View/Modify Services.

2. Click Modify on the relevant Virtual Service.

3. Expand the ESP Options section.

Configure the ESP Options.png

4. Select Form Based as the Client Authentication Mode.

5. Select the SSO Domain that was created in the previous section.

6. Configure any of the other settings as needed.
You may want to configure a custom SSO Image Set to inform users that MFA will be required. For further information on doing this, please refer to the Custom Authentication Form, Technical Note.

7. Repeat the steps above to configure the other SubVS.

For further information on configuring the LoadMaster to work with Exchange, refer to the relevant Exchange Deployment Guide. For further information on ESP, refer to the ESP, Feature Description.





Unless otherwise specified, the following documents can be found at

ESP, Feature Description
Custom Authentication Form, Technical Note

Last Updated Date

This document was last updated on 19 March 2021.



Wintel Operations

Is there a pre-designed image set for the above, or what can I add to the default image set to make this work ? as I currently don't get to the part where we can enter the received token, or does the above only work with the phone call option ?



Nick Smylie

Hi @wintel

I see you opened up a case the other day and Mark helped you out getting the custom image set. If you still need help with this please open up a support case with us so we can discuss further through there.




Microsoft is no longer allowing new clients to configure or download MFA server on premise. They are now offering an NPS extension for integration with Azure MFA in the cloud. Can you update your documentation accordingly?



Permanently deleted user

Hi @ggrawe,

Thank you for bringing this to our attention. This is correct as you've stated, Microsoft no longer supports the on premise download of MFA server.

We will update this document accordingly to reflect the integration of the NPS extension as the new workable solution.




hi kemp support,

is the new procedure ready so to integrate our KEMP with the cloud Azure MFA using the NPS extension for AzureMFA ?




Nick Smylie

Hi mohammad.badran,

Are you referring to this section here?

There are a few links there to help you set this up.




hi nick,

actually, i mean if we need to configure the KEMP with the cloud-based AzureMFA, the below Step :

4. Enter the IP address of the MFA Server in the RADIUS server(s) text box and click Set RADIUS Server(s). Multiple addresses can be entered in this text box, if required.

shall be pointing to the NPS Server with the AzureMFAExt and not the AzureMFA server which is now not supported product.



Nick Smylie

Yes it looks that way. Not much has changed on the LoadMaster side of things. As long as it's pointing to the correct MFA server then it should work just fine.