I use a basic OTP password instead of Microsoft's ironically less secure (see SMS as 2FA) with my work MS account. Perhaps your org disabled it but it is definitely something a Microsoft account can do.