Azure AD connect Integration with on-premise AD

Question

Greetings! I'm a newbie investigating the Azure AD connect solution for my company. There are so many components that need to be so precisely configured that had me go down a several rabbit holes now I'm struggling to put everything together and understand what I'm doing wrong. Appreciate any help in advance!

Brief background: I'm trying out the AWS client VPN with an AWS AD connector for authentication. AD connector is enabled with RADIUS MFA pointing to an NPS role installed on one of our domain controllers. Another DC has Azure AD connect installed and syncing a sample set of users to Azure AD (the users have trial P1 license assigned).

Configuration overview:

NPS server:

• Registered in active directory
• Radius clients for the AWS AD connector
• Remote radius server with the same DC that the NPS is installed on
• A connection request policy with 'permit during all date and time' condition
• A network policy with IP4 condition for my AWS AD connector (processing order set to 1)

NPS extension:

• Downloaded from here
• Configured with the Azure AD tenant ID

Azure AD connect settings on a different on-prem DC:

• UPN: mail
• Directory extension attribute sync: Enabled (sAMAccountname)
• Password hash sync: Enabled
• Password writeback: Enabled

Azure AD console:

• My sample users have been assigned trial P1 license and given permission to self password reset
• MFA has been enforced by Microsoft authenticator app. MFA was tested on one of these users by trying a password reset

Please do consider that if some of these settings seem unnecessary or abnormal, its because of my several attempts to troubleshoot whilst attempting some trial and error with my setup.

Issues:

I'm now unsuccessfully testing my AWS client VPN with the AWS AD connector MFA pointing to my NPS server coupled with the NPS extension. At one point the event logs were throwing me the error "NPS Extension for Azure MFA: NPS AuthN extension bypassed for User testsync with response state AccessReject". I installed and ran MFA_NPS_Troubleshooter.ps1 with the following results:

After some research I changed the value of the following registry key HKLM\SOFTWARE\Microsoft\AzureMfa\AZURE_MFA_HOSTNAME from "strongauthenticationservice.auth.microsoft.com" to "adnotifications.windowsazure.com" (I'm not sure if this is ideal though). When I ran the troubleshooter again, I got the following result:

Post above change, the errors in the event logs are now slightly different: "NPS Extension for Azure MFA: CID: ad1ad05f-2198-4404-8a5e-bc7437c4388b : Access Rejected for user testsync with Azure MFA response: InvalidParameter and message: UserPrincipalName must be in a valid format". I'm assuming this is because there is a mismatch between the on-prem and Azure AD UPNs. I hoped to fix this with by changing the registry item HKLM\SOFTWARE\Microsoft\AzureMfa\LDAP_ALTERNATE_LOGINID_ATTRIBUTE to the value 'sAMAccountname' but no luck. And now I've come to a dead end.

I noticed another weird issue when I ran the NPS troubleshooter:

I have double checked to make sure said user is assigned the P1 license yet I cannot account for the cause or meaning of this error:

I'm hoping to find some answers or guidance on how to move forward. Happy to provide more information if needed. Thanks!