In some organizations I've worked at, the multi-factor prompt would occur regardless of the password validity (wastes more of the attacker's time). Is that the case with Microsoft? I'm not sure.