I have been testing Conditional Access rules and registration of MFA and came up with the thought that there was a potential for an external (untrusted locations/person) to complete MFA before the end user.
To get round this we can create a Conditional Access rule that will block a user action of Register security information to block but exclude the trusted corporate network.
In short that BEFORE a user can use Microsoft 365/Azure externally they need to register for MFA from a trusted location. If they try external they are blocked.
Create a Conditional Access rule for All Users
For Cloud Apps or actions choose: User Actions > Register security information
Conditions: Location, Include:All and Exclude: Corporate Sites
Grant: Block Access
You could even allow MFA from compliant devices and/or Hybrid Azure AD Joined devices by excluding them from the policy
Now when a user who hasn’t registered for MFA and not on a trusted location tries to logon they cannot complete MFA registration or logon: