Download this tool to Emulate Radius Requests 

Event Viewer

Custom Views -> Server Roles -> Network Policy and Access Services

Windows Logs -> Applications and Service Logs -> Microsoft -> AzureMfa -> AuthZ

Windows Logs -> Applications and Service Logs -> Microsoft -> AzureMfa -> AuthN

Some errors decoded

Error: “An NPS extension dynamic link library (DLL) that is installed on the NPS server rejected the connection request.”

Resolution:- Reinstall Azure MFA extension, potentially caused by incorrect TenantID entered during installation

Error: “An Access-Request message was received from RADIUS client 10.0.1.4 with a Message-Authenticator attribute that is not valid.”

Resolution:- Confirm Azure Virtual Network Gateway has the same RADIUS Password used as the NPS Radius Clients

Error: “NPS Extension for Azure MFA: NPS Extension for Azure MFA only performs Secondary Auth for Radius requests in AccessAccept State. Request received for User [email protected] with response state AccessReject, ignoring request.”

Resolution:- Ensure user permissions on domain Active Directory are correct, review Dial-> Network Access Permission within the user properties of the required Active Directory

Log Viewer

Tools

http://azuredummies.com/2018/09/11/azure-mfa-nps-extension-health-check-script-v1/