Nah. Azure AD is one of the few IdPs that already supports FIDO2 Discoverable Credentials. You can use Passkeys with it today. You can go passwordless with it today.
Unfortunately, unless this changed too recently for me to know about it, that feature is default off and labelled "Experimental" or something.
So it's difficult (ask me how I know) for someone who knows way too much about this stuff and has implemented it themselves, to explain to "leadership" why they should change that default.
I don't know the details except that we've been using it since early this year. The docs don't make it seem like there's anything particularly complicated with enabling it[0][1].
I'm not sure I really follow. In an enterprise setting, giving people the option to opt into fido fine and good, but it isn't going to meaningfully help lower the risk of phishing for the organization as a whole. To address phishing, organizations need to mandate fido and disable all the weaker forms of authn. That means you're still going to have to convince your leadership to buy into the change anyway. You'll also need a decent sized communication and training campaign to move everyone over to the fido auth flow.
The technology is the easy part for rolling out fido in the enterprise. The hard part is all the people stuff. (Although this too is getting easier, since a lot of orgs can now roll out fido with existing hardware via platform authenticators.)
Unless your company is in a high-risk security-sensitive business, they shouldn't. Most companies can accept the low risk of only requiring a second factor sometimes. Usually time-based, but also looking at location and device fingerprint. For example, if you normally log in from your laptop at work in one state and then it sees you trying to log in from a computer in another state (maybe you're visiting family?) it should definitely challenge you.