No, OP is completely correct. It’s all down to how the company configures their MFA, but MS MFA will definitely show you a two-digit number on the system you initiated the auth on, and force you to type that on your Authenticator app.

I work with a vendor that has this setup and do this every day when accessing their systems.

Thankfully my own company doesn’t have the type a number stuff turned on.

It’s only bad practice if you don’t keep up on vulnerabilities/patching, don’t have any type of monitoring or ability to detect a potential breach, etc.

The nice thing about tucking everything behind a VPN is you only have one attack surface to really worry about.