Hi @Sumarigo-MSFT • Thank you for reaching out.
If the MFA Enrollment prompt appears only during device registration/join process, and user doesn't get MFA prompt when accessing any cloud application, you need to check below setting:
Azure active directory > Devices > Device Settings > "Require Multi-Factor Authentication to register or join devices with Azure AD"
If the above setting is set to YES, Multi-Factor Authentication is required when adding devices to Azure AD. Users who are adding devices from the internet must add a second method of authentication.
Important:
- This setting does not apply to hybrid Azure AD joined devices, Azure AD joined VMs in Azure and Azure AD joined devices using Windows Autopilot self-deployment mode.
- Microsoft recommends setting this device setting to No and require Multi-Factor Authentication using Conditional Access to register or join devices with Azure AD.
-----------------------------------------------------------------------------------------------------------
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.