I've been trying unsuccessfully to buy tech support from Microsoft for over a week, so I figured I'd try here instead.
I have followed the guide at https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension-rdg to set up a Remote Desktop Gateway using Azure MFA. All the components appear to be working, but when I try to log in with MFA, it just sits there for several seconds then fails without prompting for MFA.
Logging in without MFA works.
I have run the health check script at https://gallery.technet.microsoft.com/Azure-MFA-NPS-Extension-648de6bb and it gives a clean bill of health.
The final message in the AuthZOptCh log is
"NPS extension for Azure MFA: CID: <string> : Challenge requested in Authentication Ext for User CONTOSO\Alice with state <string>"
But there is no subsequent entry, and the MFA challenge never happens.
What is going on? Why is Azure not issuing the MFA challenge?