I have submitted them to MS, and added the "[email protected]" address to the safe senders list, but this is not best practices. If that email is spoofed, basically anything can get in, and spoofing that email seems like it could be a pretty high value target.
A search of the forums has some other examples of users not getting invite or confirmation emails as well.
We had to get our admin to manually release the emails from quarantine and then we changed over to a different 2FA method for about 4 months. When we came back to the email method in June of this year, the emails were no longer being quarantined and we could use it again.