MFA accounts greyed out on new devices

Question

We just started to hand out new devices to our organization.
Our admins have enabled MFA auth in Azure AD but I suspect this is not the correct way to do this.

Devices are controlled/configured through Intune.

When devices are started up, and you open MS Authenticator app, we see one or two grayed out accounts labeled Azure AD.

These entries cannot be used to do anything.

HOWEVER, the admins claim that users do something wrong, that the MFA tokens should automatically sync or get enabled.

The only way to activate them, what I've gathered, is to log on to portal.office.com or other site where you can access your MS account and from there activate your Authenticator app.

Help me get correct instructions to our admins so this is working from start, or is my way on "activating" the grayed out accounts the actual way to do things (admins claim NO, it should just work)

Answer 1

I'd say all.

Just as you said, they are not active.
If you go to account settings for your company/Microsoft account you can activate at least one of the accounts though, then the greyed out is "white" and it's working as intended.

HOWEVER, our admins claim that the accounts SHOULD be white (and working, activated) from the beginning and they REFUSE to hear anything else, "it's the user").

I think, that they think, that they have set it up so all new devices get an active, working, MFA app from the start when they get their new company phone. This is what I'm trying to understand, is this even possible? Since it's not working as THEY intend, can it even be done or is it just working as (Microsoft) intended, that each device needs to be manually activated first?