@EnterpriseArchitect If I understand correctly you want to enable hybrid users (synced from on-premise AD) to enroll for MFA via Authenticator app - to achieve this refer to the steps mentioned here - https://video2.skills-academy.com/en-us/entra/identity/authentication/howto-authentication-passwordless-phone#:~:text=the%20passwordless%20method.-,Enable%20passwordless%20phone%20sign%2Din%20authentication%20methods,-Tip
Let me know if you have any further questions in achieving your requirement or feel free to post back.
Please remember to "Accept Answer" if answer helped, so that others in the community facing similar issues can easily find the solution.