If you are using CA policies for MFA, the "status" fields you report on via the MSOL cmdlets will not get updated, that's the expected behavior. You can use the Graph API endpoints to report on which users have "registered" their methods: https://video2.skills-academy.com/en-us/graph/api/reportroot-list-credentialuserregistrationdetails?view=graph-rest-beta&tabs=http
Other than that, educate your auditors about CA policies and such...