To resolve this, you need to adjust your Conditional Access policies to allow new users to register for MFA from untrusted locations. Here's a step-by-step approach to resolve this issue:
1) Temporary Access for Registration: Create a temporary Conditional Access policy or modify the existing one to allow users to register for MFA from untrusted locations. This policy should be specifically targeted at users who have not completed their MFA registration. You can use the "Users and groups" condition to target these users specifically.
2) Use a One-Time Bypass: Depending on the specifics of your MFA setup, you might be able to issue a one-time bypass code for MFA. This allows the user to bypass MFA temporarily to set it up properly.
3) Trusted Device or Location: Another option is to allow MFA registration from a trusted device or location. For instance, you could have a policy that allows users to register for MFA when they're connected to your network via VPN or from a specific device.
4) Grace Period: Some MFA solutions offer a grace period for new users, during which they can complete their MFA registration. You can check if your system has such a feature and enable it.
5) Role-Based Conditions: If possible, apply the MFA requirement based on roles. New users could be assigned a temporary role that does not require MFA until they have it set up.
6) Communication and Support: Inform new users of the MFA registration process and provide them with clear instructions. Make sure they know whom to contact for support if they run into issues.
7) Testing: Always test your Conditional Access policies to ensure they work as intended without locking out legitimate users.
After the user has registered for MFA, you can revert the changes to your Conditional Access policies, maintaining the security posture you desire.
Remember, the specific steps might vary based on the specifics of your setup (like the MFA solution you're using), but the general approach should help you resolve this issue.