There's a separate condition you can use to target the MFA registration process, as detailed here: https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-cloud-apps#user-actions
Conditional Access: block all cloud apps except My Account site
Samir Kothari
31
Reputation points
Through conditional policies we've blocked browser access to all cloud apps. We are now rolling out MFA to everyone. Is there any way to exclude blocking access to https://myaccount.microsoft.com/ ?