I have been asked to configure Azure AD Conditional Access so that MFA is required when a user logs in from outside of our corporate LAN.
I have configured this via a trusted location condition and it all works fine. However if a user signs in from a non-trusted location, and they have not previously set up MFA, they are prompted to set it up and can obviously supply any phone number for SMS auth, or configure the mobile app.
This seems like a security risk to me, because obviously an attacker who had obtained a valid password would still be able to login, provided that the user had not previously configured MFA.
Is there any way to avoid this risk? E.g. is there a setting to only allow MFA to be configured when the user logs in from a Trusted Location? I’ve had a look through the docs but can’t find anything.