NPS Extension for azure MFA and multiple tenants?

Hi pwb​, dont know if you are still looking for an answer here but I think you’re running into a design limitation of the NPS extension rather than a simple misconfiguration.

The NPS extension is explicitly registered to one Microsoft Entra tenant when you run AzureMfaNpsExtnConfigSetup.ps1, where you sign in as a GA and provide a single tenant ID, the script creates/uses the “Azure Multi-Factor Auth Client” service principal in that tenant only.​
Per the NPS extension configuration limitations, the extension then uses the on‑prem UPN to find the user in Microsoft Entra for secondary authentication, which assumes that UPN exists in the same tenant the extension is registered to.​

The troubleshooting article for "AccessDenied" explicitly calls out the case where “the tenant domain and the domain of the user principal name (UPN) are not the same,” and tells you to ensure that email address removed for privacy reasons is authenticating against the Contoso tenant.​
On top of that, Microsoft Entra will only allow a given custom domain (for example, contoso.com) to be verified in a single tenant at a time, so the same UPN namespace cannot legitimately belong to multiple tenants simultaneously.​

Putting those together, in my opinion a single NPS extension instance can only perform MFA for users in the one tenant it’s registered to, and cross‑tenant UPNs will hit the documented AccessDenied condition rather than working as a supported multi‑tenant setup.

Here are the reference links,

https://learn.microsoft.com/en-us/entra/identity/authentication/howto-mfa-nps-extension#configuration-limitations

https://learn.microsoft.com/en-us/previous-versions/entra/identity/authentication/howto-mfa-nps-extension-errors#errors-your-users-may-encounter