The Azure AD document says that when you are joining any device OR registering any personal device with Azure-AD and if you want the user to undergo multi-factor authentication, you should you use CONDITIONAL ACCESS POLICY.
You should not go to device --> settings blade and turn on MFA
So CA-policy is the route to turn on MFA, what is that CLOUD-RESOURCE to configure CA-policy for device-registration.
Thanks.

