Azure Multi-factor authentication can be enabled for SSL VPN with SAML authentication. This can be done by enabling multi-factor authentication on Azure.

No additional setting is require on FortiGate. However, it is important to check whether the authentication timeout for remote servers is long enough for the user to authorize the challenge (MFA).

The default setting is configured for 5 seconds. This setting is recommended to be changed to 60 seconds as per commands below:

config system global
      set remoteauthtimeout 60
  end

MFA window will be popped out after entering a credential as the below screenshot.

However, if still get timeout in saml debug with the below output:

2024-10-21 11:29:26 [2092:root:b03]Timeout for connection 0x7fb7455800.
2024-10-21 11:29:26 [2092:root:b03]Destroy sconn 0x7fb7455800, connSize=0. (root)
2024-10-21 11:29:26 [2092:root:b03]SSL state:warning close notify (81.1zz.1yy.1xx)
2024-10-21 11:29:35 [2093:root:b02]allocSSLConn:310 sconn 0x7fb67b2000 (0:root)

This might be not caused by FortiGate and timeout might be controlled by SAML provider or FortiClient timeout settings.

Make sure that the timeout settings in Azure and FortiClient are configured correctly.

Links to configure MFA for SSLVPN with Azure SAML authentication: 

https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates

https://docs.microsoft.com/en-us/azure/active-directory/authentication/tutorial-enable-azure-mfa