Conditional Access to Block off premise access My Profile app

Frequent Visitor

We are about to have our users provision their M365 E5 accounts.  In order to prevent brute force attacks during the registration period we would like to limit users ability to register from non trusted locations.  So when they access for registration we want them to only be allow if they are coming from an IP that is configured as a "Trusted Location".   That way it forces users to setup their Microsoft account from on premise, so that they have a chance to get MFA setup.  


I have read the below documentation which seems like it's suppose to do the same concept but can't get it to work.  

Create a policy to require registration from a trusted location

2 Replies
So what's the issue with configuring CA policy as per the above article?
best response confirmed by Vasil Michev (MVP)

@Vasil Michev, I just realized that I failed to add my users to the Password Reset configuration, so they weren't getting to the combined registration.  Now that I added them its working by design and blocking external access for users who have not registered their two step verification yet.