Trying to diagnose an issue of a reason why an NPS server would not let a user in and come back with Access-Reject produces the following Reason in the event log
An NPS extension dynamic link library (DLL) that is installed on the NPS server rejected the connection request.
I recommend uninstalling the NPS Extension for Azure MFA Plugin
Retrying the access which should give you some better reason in the event log e.g. The RADIUS request did not match any configured connection request policy (CRP).
Once this is fixed you can reinstall the Plugin and re-authenticate it
Trackback from your site.