Hi @Blakey, Gregory ,
There are two reasons why the 14-day grace period might be skipped.
- There is a Conditional Access policy enforcing Multi-Factor Authentication - This seems like it might be the case for you, since you mentioned that the user is in a Conditional Access group. If a Conditional Access policy requires MFA then the user must be able to pass that MFA request. So if a user is not registered but an MFA policy is enforced, then the user will be required to register and complete the MFA. The conditional access policies trump the grace period in that case, which is good for users who may not want a grace period to begin with.
- The other reason could be that the users have already gone past the grace period. After an admin has enabled security defaults the 14 day grace period starts after the user has first completed a sign-in.
In your case it seems like this is due to that Conditional Access group, as you pointed out.