We have recently implemented MFA with a conditional access policy. We turned off the ability to receive texts/calls and are forcing the Authenticator app. This is causing issues when users need to re set up the account in the Authenticator app. I have had multiple scenarios this week where the Microsoft Authenticator app has stopped displaying the approve/deny message. The end users try to fix the issue themselves and will remove their accounts from the app and try to reenroll by going to myapps.microsoft.com and restarting the setup process. The problem lies in that even though they are visiting the portal from devices that are excluded from MFA via conditional access (Compliant/Hybrid AD Joined) the myapps.microsoft.com portal is still enforcing MFA to log in. Since they have removed their account from the application they can not authenticate to the portal. There is no alternate method since Phone/Text are disabled. 

In order to get the end user back into the portal I have to go to the regular MFA Setup page, enable phone calls or texts, enable and enforce MFA on the end user, and they can finally get in to re-set up the account. 

All of this could be fixed with a one time bypass for cloud!