An Azure AD Conditional Access Policy for Internals to use a joined device or be in a trusted location to perform Registration of Security Information.
Suggested name:
CA2{XX}-Internals-IdentityProtection-RegisterSecurityInfo-BYODOrUntrustedLocation-MFA
Assignments
Users
Users and groups |
|
Include users |
CA-Persona-Internals |
Exclude users |
Break-glass (emergency access) accounts |
Cloud apps or actions
User actions |
Register security information |
Conditions
Locations |
|
Include |
Any location |
Exclude |
All trusted locations |
Filter for devices |
|
Exclude |
device.trustType -eq “AzureAD” -or device.trustType -eq “ServerAD” |
Access controls
Grant access |
|
Require |
Multifactor authentication |
User Experience
BYOD in an Untrusted Location

References
https://learn.microsoft.com/en-us/azure/architecture/guide/security/conditional-access-architecture
https://learn.microsoft.com/en-us/azure/architecture/guide/security/conditional-access-framework
https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-policy-common