I have a requirement to add Azure MFA to ADFS (only externally). We have a number of on premises relying party trusts as well as some cloud SaaS offerings 365 etc. We use our Citrix NetScaler for reverse proxy so do not have ADFS WAP servers. We already have EMS E3 licenses with Azure AD and we have Azure MFA with on prem NPS servers We use ADFS on Windows Server 2016.
I have seen a few things online but nothing definitive. To enable Azure MFA for external access only it looks like you have to have ADFS WAP servers. But I was seeing if it would be possible to do this with an Application Proxy instead? If anyone has any knowledge on this / articles to share it would be appreciated.
Application proxy is not a direct replacement for WAP. I.e. Application Proxy will not help AD FS determine if a request for a token to a relying party is coming from the extranet.
But see https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/overview/ad-fs-faq#are-third-party-proxies-supported-with-ad-fs- and https://docs.citrix.com/en-us/citrix-adc/current-release/aaa-tm/adfs-proxy-wsfed.html as it is possible to use Citrix ADC as a WAP replacement. I assume your Netscaler is Citrix ADC.