@jeffsmith82 It requires nothing special. You just setup Mobile IPsec in pfSense pr. Any available guide - with authentication using Radius.
On the Radius you install the Azure MFA plugin and register that for MFA authentication in the wanted Azure AD tennant. The two things work completely independant of each other - the trick is that Radius will only complete the authencation when the user has approved in their authenticator app.
The only “non-standard” setup in pfSense is that you will need to configure the Mobile Radius auth part with a long timeout as it usually takes a little while for users to get the notification and login/approve on their phone.