I think there is a known bug:
An issue has been identified with Hybrid Azure AD joined devices that have enabled multi-factor authentication (MFA). If a user signs into a device using their Active Directory account and MFA is enabled, the device will not successfully upgrade to their Windows Enterprise subscription. Or it drops off when getting renewed after 30 days.
-us/windows/deployment/windows-10-subscription-activation