We had this issue due to "deny" rule in the NSG which we explicitly created and got to know deny rule will override the default NSG settings.
Though it was replication error between peering DCs, you may have a check if not already.
This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Microsoft is unable to reach the domain controllers for this managed domain. This may happen if a network security group (NSG) configured on your virtual network blocks access to the managed domain. Another possible reason is if there is a user defined route that blocks incoming traffic from the internet.
Note: NSG is configured as suggest
https://learn.microsoft.com/en-us/azure/active-directory-domain-services/alert-nsg#aadds104-network-error
We had this issue due to "deny" rule in the NSG which we explicitly created and got to know deny rule will override the default NSG settings.
Though it was replication error between peering DCs, you may have a check if not already.