The MFA extension for NPS is the new way of integration if you dont want to host the MFA self-service onpremise.
NPS is Windows component works as a radius for integration with 3rd party applications/appliances
I just come from integrating this to F5 VPN/Portal witch and not tested by F5 team (while i’m writing this) but it works similar like Citrix, Cisco, Juniper, etc.
The trics to make it working smooth is that you must connect the 3rd party device such as F5 in my case directly to the NPS BackEnd server where you install the MFA extension.
If you use the NPS Proxy and then forward the request to the Backend NPS, it will ask 3 times for authentication !
And keep in mind you just need to add radius authentication after the login page.
Here how F5 is configured : https://devcentral.f5.com/s/articles/heres-how-i-did-it-integrating-azure-mfa-with-the-big-ip-19634
For end user experience : https://www.youtube.com/watch?v=QbDxoLivJWQ