Hi Peter,
No, dynamic security groups have a limited number of properties that can be used to construct a membership rule. These are defined here:
https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/groups-dynamic-membership...As a work-around, you could create a scheduled task that runs hourly that populates group membership based on the MFA properties in Azure AD. Azure AD stores the number of authentication methods in:
StrongAuthenticationMethods
So if StrongAuthenticationMethods.Count -eq 0 then the user has not completed registration.
And if StrongAuthenticationMethods.Count -lt 2 then they have less than two methods defined.
For example:
connect-msolservice
$user = get-msoluser -SearchString "John Doe"
$user.StrongAuthenticationMethods | select methodType
PhoneAppOTP
PhoneAppNotification
Then you just need some more code that populates a group based on this.
-Joe