Hi @Mike Hamsa
That error means that the extension is not being able to authenticate itself against AAD. Can you confirm which server version you are using? I saw a customer recently facing the same error with NPS deployed on a 2012 R2 server, and he was able to resolve the issue by redeploying on a 2019 machine.
You mentioned that the user is able to communicate with login.microsoftonline.com. Please confirm though that your firewalls are open bidirectionally for traffic to and from https://adnotifications.windowsazure.com
and https://login.microsoftonline.com
using ports 80 and 443. It is also important to check that on the DIAL-IN tab of Network Access Permissions, the setting is set to "control access through NPS Network Policy".
You will also see this error if you have not yet upgraded to TLS 1.2, in which case upgrading will resolve the issue.
Do they have an internet proxy or network security software that could be blocking traffic?
Additionally, if you can share any logs you have, it will help me to better diagnose the issue. If the primary authentication is failing this will need to be addressed by the Windows networking team.
If you have confirmed all of these things and still face the issue, it would be worth creating a support case to look into your environment. If you would like to have a support case opened, you can reach out to me at AzCommunity@microsoft.com ("Attn: Marilee Turscak") and include your subscription ID and a link to this thread, and I will have one enabled for you.
If the information helped you, please Accept the answer. Otherwise let me know if you have further questions.