The current flow is whenever a new user is onboard, IT set up the computer in advance, sign in as the user to create the profile on PC including Office activation, Outlook profile and OneDrive for Business. Then the new user will just log in and everything is ready to go.
Once we turned on Security Default, the MFA needs to be set up for the first time. IT probably should not be the one to do it. Can we turn MFA off on individual users for this purpose? or it's better to leave it to the new users?
You cannot toggle it for specific users once you switch Security defaults on. If you need such granularity, go with the Conditional Access policies approach (assuming you have the necessary licenses).