I am the Global Admin for an Azure tenant on the free tier (tied to a Microsoft 365 E1 nonprofit account). Following the automatic rollout of Security Defaults, I have one user who did not set up a MFA method in time, and is now being prompted to enter codes he does not have.