Hello elflaco,
Thank you for connecting offline to discuss about your issue.
We see that you are looking to secure remote access to virtual machines that run in a Microsoft Entra Domain Services managed domain, using Remote Desktop Services (RDS) and Network Policy Server (NPS).
As discussed, there are two factors that affect which authentication methods are available with an NPS extension deployment:
The password encryption algorithm used between the RADIUS client (VPN, Netscaler server, or other) and the NPS servers.
PAP supports all the authentication methods of Microsoft Entra multifactor authentication in the cloud: phone call, one-way text message, mobile app notification, OATH hardware tokens, and mobile app verification code.
CHAPV2 and EAP support phone calls and mobile app notification.
The input methods that the client application (VPN, Netscaler server, or other) can handle.
The NPS Extension for Microsoft Entra multifactor authentication is available to customers with licenses for Microsoft Entra multifactor authentication (included with Microsoft Entra ID P1 and Premium P2 or Enterprise Mobility + Security). Consumption-based licenses for Microsoft Entra multifactor authentication, such as per user or per authentication licenses, aren't compatible with the NPS extension.
Sharing relevant document for reference: https://learn.microsoft.com/en-us/entra/identity/authentication/howto-mfa-nps-extension#licenses
Thanks & Best Regards
Janaki Kota
If your question has been solved, then you can click "Accept Answer", which may help members with similar questions find the answer easily. Thank you very much!