Hello!
We are hosting our entire business in Azure, and we are working on replacing the login functionality from a basic self-hosted username/password solution to Azure AD. To not mix our company users with our customers, we have created a brand new tenant where we keep all our customer accounts. Our customers are mostly nurses and medics, who spends most of their day taking care of people. Most of them have little to no relationship to Microsoft or computers/phones during their workday. 

We have a smartphone app and a web GUI that users can login to. To not confuse our users, we try to just give them their login, and for now just ignore the fact that the login prompts a Microsoft login. And so we have come to the stage where we are looking at Company Branding, which requires something higher than the Azure AD Free that we use now.  The sole purpose of creating a Microsoft account to our user is so they can login to our solutions, and not to take advantage of any other Azure functionality. 

In our main tenant, where all users have Office, I have noticed that we can create new users without any license, who can take advantage of the Company Branding. How does this stuff actually work? And how is it supposed to work? Do we enable Company Branding simply by having 1 user with a high enough license? Are we bending the rules by having 1 licensed user and 100 free users?

The only cool tool (currently) that would be nice to offer our customers is the MFA login. I can see that on the "free" user I created in our main tenant, I can process the MFA setup steps. Is this allowed? Theoretically speaking, had I given this account to a customer, the customer could have done this him- or herself too, without my knowledge (which is possibly bad configurations on our Azure tenant's end).

Any help or feedback to my confusion is greatly appreciated!