I use conditional access to trigger MFA for our Office 365 applications. I need some help with dealing this situation. Some users for some reason are unable to use their registered MFA method due to relocation\lost phone and etc. If I want them to add a new verification method, I thought I can disable MFA for their account by removing them from the conditional access rule and allow them to access the MFA registration portal. What I see is user indeed doesn't need to verify with MFA when access the applications, however, they are still being prompted for MFA when they try to access the MFA area. So this is kind of catch 22. I know I can require them to re-register MFA from the AAD portal. I wonder if this is only way to do that. Users will need to register all their MFA methods rather than just adding a new one.