Hi @Dave Chuang ,
Thank you for contacting the Q&A community,
It sounds like the user is being asked to register for MFA.
If they are excluded from all conditional access policies that require MFA then it could be if you have SSPR enabled and the user is in the scope. SSPR requires MFA and users need to register if its enabled.
Check if you have SSPR enabled. If the user is in scope then they need to register for MFA but should not get prompted on their subsequent sign ins if CA has excluded them.
Otherwise you need to remove the user from the scope.
https://portal.azure.com/#view/Microsoft_AAD_IAM/PasswordResetMenuBlade/~/Properties
Let us know if you need additional assistance. If the answer was helpful, please accept it and rate it so that others facing a similar issue can easily find a solution.