NPS Extension for Azure MFA - The key was not found

Question

Dear all,

We're trying to implement Entra/Azure MFA for RDGateway. We've installed the NPS MFA extensions, and configured everything as instructed by the official documentation. When a user tries to sign in through the RDGW we're seeing the below error message in the eventlog in the Microsoft-AzureMfa-AuthZ/AuthZAdminCh log:

NPS Extension for Azure MFA: CID: xxxx :Exception in Authentication Ext for User xxxx\testuser :: ErrorCode:: ESTS_TOKEN_ERROR Msg:: Unable to get Azure AD access token. [Reason:AADSTS700027: The certificate with identifier used to sign the client assertion is not registered on application. [Reason - The key was not found., Thumbprint of key used by client: 'xxxx', Please visit the Azure Portal, Graph Explorer or directly use MS Graph to see configured keys for app Id 'xxxx'. Review the documentation at https://docs.microsoft.com/en-us/graph/deployments to determine the corresponding service endpoint and https://docs.microsoft.com/en-us/graph/api/application-get?view=graph-rest-1.0&tabs=http to build a query request URL, such as 'https://graph.microsoft.com/beta/applications/xxx']. Alternatively, SNI may be configured on the app. Please ensure that client assertion is being sent with the x5c claim in the JWT header using MSAL's WithSendX5C() method so that Azure Active Directory can validate the certificate being used. Trace ID: 0f2b94d8-58de-40fa-93d7-c7a4232c0600 Correlation ID: xxx Timestamp: 2024-10-21 14:57:52Z][Code:3399614473] Enter ERROR_CODE @ https://go.microsoft.com/fwlink/?linkid=846827 for detailed troubleshooting steps.

Kindly please advice how to proceed to relieve this. Thank you.