The Network Policy Server (NPS) extension for Azure Multi-Factor-Authentication (Azure MFA) provides a simple way to add cloud-based MFA capabilities to your authentication infrastructure using your existing NPS servers. With this solution you can integrate your VPN or RDS infrastructure with Azure AD MFA. Microsoft has detailed instructions how to make the integration with VPN infrastructure using NPS extension for Azure. If you successfully authenticate with the secondary verification method that you previously configured in Azure AD MFA, you are connected to the resource. However, if the secondary authentication is unsuccessful, you are denied access to the resource.
Using NPS extension you can meet the limitation : RRAS, RD Gateway and some other systems aren't capable of processing Access-Challenge RADIUS responses. In that case, the client treats the Access-Challenge packet as an Access-Reject packet. This limits the methods of MFA that you can use with these systems.
Phone call and mobile app push notifications should work fine. Neither SMS nor mobile app verification codes (OTPs) will work because different from other system (such as Citrix Netscaler, for example) Microsoft does not have a way to
challenge the user for their OTP, which is the purpose of the Access-Challenge response. But you can use OTP (classic or programmable tokens) or TOTP apps by using our TOTPRadius solution. We have published a guide , where we described how to use hardware tokens for PPTP VPN integrated with TOTPRadius.