Summary: The Microsoft Certificate Services CA must be configured properly to allow SANs to be added to a certificate issued from their CA. The TPP Documentation has a section on how to do this titled
Despite the labels on the Microsoft CA Configuration screen:
Checking the appropriate box (depending on your CA setup) is required for SANs, especially the adding the CN as a SAN which TPP will do if you check the required box.
However, despite the text of these highlighted boxes, no manual approval at the CA site is required (unless other configuration values are set that specifically require it). TPP handles all required approvals. This can be confusing because the text is misleading, but it is the correct way to configure your MS CA template properties.