Thanks for this anonymous user-msft.
It's definitely not behaving as you say it should in #1.
Also, we were not using MFA before enabling Security Defaults, so I don't think it's related to previous user MFA settings in our case.
I was able to pull the user MFA settings using powershell MSOnline / Get-MsolUser. (I don't think the Get-MgUserAuthenticationPhoneMethod cmdlet can be used with Azure AD?).
Get-MsolUser -All| Select UserPrincipalName, DisplayName, @{n=”Status”; e={$_.StrongAuthenticationRequirements.State}}, @{n=”Methods”; e={($_.StrongAuthenticationMethods).MethodType}}, @{n=”Chosen Method”; e={($_.StrongAuthenticationMethods).IsDefault}} | Out-GridView
All users except two have authentication methods = {PhoneAppOTP, PhoneAppNotification} i.e. the authenticator app, as expected.
Of the other users, one has {OneWaySMS, TwoWayVoiceMobile} and the other has {OneWaySMS, TwoWayVoiceMobile, PhoneAppOTP, PhoneAppNotification}. I though that the Security Defaults only support MFA using the authentication app - not SMS or voice. You can only choose the authentication app methods when registering MFA. So it's strange that these two users have SMS and voice authentication enabled and even stranger that one user doesn't have the authentication app methods enabled. This seems a bit of a mess!! However this is separate from my original issue... several users with {PhoneAppOTP, PhoneAppNotification} are not being prompted for MFA.
Thanks for raising this with the Azure AD team. I'll raise a support ticket about this as well.