Issue has been solved now after doing lots of troubleshooting. below are the action taken to solve the issue. below are the action taken.
- Disabled the NPS extension for MFA by removing entry from registry(HKLM\System\currentcontrolset\services\Authsrv\Parameters)
- disabled all default connection and network policy from NPS
- Changed Type of network access server from "Remote Access server(VPN-Dial up" to "Unspecified"
- on Fortinet VPN server enabled the primary authentication from NPS server and ensure group matching is configured correctly
Above steps helped us to solve and ensure that primary authentication works properly. once confirmed the primary authentication then restored the registry setting for NPS extension and rerun the .\AzureMfaNPsExtnConfigsetup.pas1. then after retest the VPN access and MFA. and finaly it worked with all MFA option available.
Please note that Fortinet VPN uses PAP as authentication protocol.