Multi-user credential has a temporary security code generated. But when that credential is assigned to a new user, the temporary security code disappears.

A temporary, multi-use code with an extended time of validity is a security threat that essentially bypasses 2FA. If that code was compromised by a malicious actor, then it would allow them to have unlimited access until that temporary code expires.

Having that code limited to a known entity (account/credential) at the time of generating the code does allow an administrator to determine the usage and evaluate the cost/risk. But if a malicious actor got a hold of that code and was allowed to then register that code to any other user account, it would bypass the administrative discretion and setup an unknown threat.

This is working as designed. Allowing a temporary code assigned to a credential to transfer to other users would open a security exploit. Administrators will need to be aware of this limitation so they can administer the credentials/temporary codes accordingly.