Right now when you use Conditional Access to enforce strong auth methods such as phishing resistance auth. The user is asked for more info and then redirected to the following page:
Additional authentication is required to complete this sign-in. Learn how to set up a security key (FIDO2), then go to https://aka.ms/mysecurityinfo to add the authentication method to your account.
https://imgur.com/M66nCVe
However when you click through on the Security Info url, you end up at the very start of the auth flow and get stuck in an infinite loop. It makes no sense that you cannot configure a Fido2 security key EVEN when other MFA methods were already registered, once enforced you cannot get out of the infinite-auth-loop-of-death.
The only way around this loop is to configure a TAP for the user which allows them to bypass the policy and reach the Security Info page to add a new security key. We want to secure all our customers using FIDO2 but right now having to create a TAP for each and every user including guest users just to enable security key registration is very cumbersome and makes no sense when regular MFA allows you to register an app just fine at first logon.
Issues likes these make convincing higher management at our customer base a lot more difficult when we need to do the very opposite in order to encourage adoption of more secure auth methods!