Note on these settings, I have 3 users in the CA Exchange Online Mobile group. Rest of my users are in the NO CA group and that group is set to Except. I do this to ensure that nothing is enforced globally to all users. The 3 users in the first group have not had Azure MFA Enabled or Enforced but is set to Disabled.
This is what the user will see now.
He will see the normal login but be required to enter a second factor. If he navigates to outlook og Onedrive there will be no such requirement.