One user request was to STOP the "windows hello" PIN requirement, and just have a password (+ MFA) for login. Does anyone know how to do this with either standard Office 365 subscriptions, or office 365 + Intune or similar? Would love not to have to do Azure AD outside of the office subscriptions. Microsoft has a fair number of SKU's these days that kind of overlap (and get renamed).

From the Endpoint Manager (endpoint.microsoft.com) hit "Devices" and then "Windows Enrollment". Click "Windows Hello for Business", and click "Disabled".