Conditional Access - Policy AND'ing - Registering Security Info

Hi All,

I've been working away trying to solve an issue but haven't found a way around it just yet. The aim is to let an users on BYOD use TAP on a non-compliant device to setup their security info, but then for all other actions to have MFA+Compliance enforced from desktops.

Three CA Policies from the templates articles with a tweak for passwordless:

- Secure Registration Policy (MFA+TAP Auth Strength)

- Device Compliance (MFA+TAP Auth Strength + Compliance)

- Intune Enrollment (MFA+TAP Auth Strength)

I'm noting a few outcomes here:

Device Compliance (AND grant control)

- User with a BYOD Device and TAP, can't enroll in MFA as the device isn't compliant, they cant workplace join the device either

- User on an enrolled device, can use TAP to reset/create their MFA control

Device Compliance (OR grant control)

- User with a BYOD Device and TAP, can workplace join and register their security info without issues

- User with an enrolled device has no issues using TAP to reset/create their MFA control.

This makes sense with the AND'ing of policies, however for the registration method i'm wanting to let the user in on their BYOD device to register their security control, once done they can workplace join with no issues to access resources. The sign-in logs, always show the device compliance policy as hit, this is expected, the login shows a success for passwordless + tap but fails the compliance strength as expected. It doesn't look like its the device enrolment side of things, purely the registration portal getting in the way wanting the compliant device.

Does anyone else have similar requirements and have a way to do this without a manual exclusion group? 

Thanks!