[bayindirh]

Two reasons:

1. You shouldn't be reusing your password anywhere else anyway.

2. Microsoft corporate 2FA doesn't give you three choices, but wants you to enter the number from your keypad, unlike consumer 2FA, preventing flooding attacks and trusting that you'll tap the right one accidentally.

[semi-extrinsic]

1. In my scenario it is your corp admin reusing password across apps. See sibling comment on SSO tax response.

2. Yes, I know how the MS 2FA flow works. But why doesn't it have you enter number on device first, type password second? Seems like it would give users a better way of knowing the login request is legit?

[jpc0]

Database query is cheaper than multiple network calls and maybe even a database write?

If I send the password they need to hash then compare. Only then do they need to generate some form of random number - write to some store - send a notification to the users device - query the store from the users device - likely again hash an compare - send a notification to the endpoint signing in. To do that for millions / billions of users seems like it would be expensive compared to a hash + DB lookup.