Is it only happening for win10 users or any other windows OS user? I can think of following points.
- I would suggest to see if "Allow Local DNS Servers" option is checked under NACL.
- Also please verify, if initital authentication with O365 is working fine. Is it using SAML federation with on-prem IDP and Does it need to go via VPN tunnel?
- Can you connect to https://teams.microsoft.com/ once you have full vpn tunnel? if not, check in the developer tools in the browser where it fails.
- If it's working on other windows platforms other than 10, what's special with this build?
- Involve MS support to troubleshoot as well where this is failing