Hello @Fernanado, Please let me know if my understanding is correct. You want to create a CA policy which only apply to New created users where users are enforced to complete MFA.
To answer your question, you can create a CA policy which will enforce users to complete MFA registration and next time they sign-in users have to perform MFA.
Here are the steps below you can bind them in a new Group through a dynamic rule and create a CA policy and apply that apply to this Group.
The following steps help create a Conditional Access policy to require all users do multifactor authentication.
- Sign in to the Microsoft Entra admin center as at least a Conditional Access Administrator.
- Browse to Protection > Conditional Access.
- Select Create new policy.
- Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies.
- Under Assignments, select Users or workload identities.
- Under Include, select All users
- Under Exclude, select Users and groups and choose your organization's emergency access or break-glass accounts.
- Under Target resources > Cloud apps > Include, select All cloud apps.
- Under Exclude, select any applications that don't require multifactor authentication.
- Under Access controls > Grant, select Grant access, Require multifactor authentication, and select Select.
- Confirm your settings and set Enable policy to Report-only.
- Select Create to create to enable your policy.
After administrators confirm the settings using report-only mode, they can move the Enable policy toggle from Report-only to On.