Exam MS-500 topic 1 question 5 discussion

Answer is correct. User 1 was enabled for MFA but has not registered yet, so they will get prompted to set it up. User 2 is set for enforced MFA, so apps that do not support modern auth will not work until an app password is set up and used. Enabled: The user has been enrolled in Multi-Factor Authentication but has not completed the registration yet. The next time they log in with a modern auth enabled client or browser, they will be prompted to set it up. In the meantime, apps which do not support MFA will continue to allow sign-in. Enforced: The user completed the registration OR an admin manually set this status and the user be prompted to register at next sign-on with an app that supports modern auth or a browser. The user will not be able to use apps that do not support modern auth until app passwords are created and used. NOTE: you can also enforce these through conditional access policies. A user with a "disabled" MFA status can still be required to use MFA.

User 2 must use the app password because non-browser/legacy app does not work with MFA. https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-app-passwords#allow-users-to-create-app-passwords

User 2 state of MFA is Enforce Hence Enforced The user is enrolled per-user in Azure AD Multi-Factor Authentication. If the user hasn't yet registered authentication methods, they receive a prompt to register the next time they sign in using modern authentication (such as via a web browser). Users who complete registration while in the Enabled state are automatically moved to the Enforced state. Yes. Apps require app passwords.

User 1 state is enabled : Hence The user is enrolled in per-user Azure AD Multi-Factor Authentication, but can still use their password for legacy authentication. If the user hasn't yet registered MFA authentication methods, they receive a prompt to register the next time they sign in using modern authentication (such as via a web browser).