We have been testing some conditional access policies requiring MFA when a user is off premise. One of our test users accidentaly removed the Microsoft Authenticator from their mobile device, and unfortunately we can't re-enroll a new mobile device as the access policies require MFA. I've tried using the one-time bypass in the Microsoft MFA port within the classic portal, but it's not working. Is that the only way to provide a one time bypass to a user? Is there another way to re-enroll the user in MFA? We eventually just removed them from the conditional access policy as a work around right now. But looking for options.
You can always reset his MFA status, forcing him to go over the "enablement" process and register the new device. If you mean that the network restrictions are causing this process to fail, add the IP address temporary or exclude the user from the conditional access policy.