Yes you have to pay for it, and it's not cheap. It's an additional $6 US per user to protect a $4 Plan 1 mailbox. Pretty outrageous to charge for basic security.

From the Entra site, it doesn't say MFA is included: 

Microsoft Entra ID has a free edition that provides user and group management, on-premises directory synchronization, basic reports, self-service password change for cloud users, and single sign-on (SSO) across Azure, Microsoft 365, and many popular SaaS apps. The free edition is included with a subscription of a commercial online service such as Azure, Microsoft 365, Dynamics 365, Intune, or Power Platform.

I have been using a third party add-on to Acrobat to send thousands of emails via SMTP mail - this worked well until two months ago using an APP password - but then failed with no reason, attempted to fix, regenerate new APP password, checked all software updated.

only fix was to create a new email account without MFA. All other methods have failed, (as for the password well it makes an APP password look simple)

why not allow users to use extremely complex password 25 or 30 characters?

MFA is also available in Entra ID Free edition 

At this point, the old-style per-user MFA is going away, so to impose MFA on user accounts you should use conditional access policies. Use of CA requires Entra P1, so that's where the licensing requirement arises. But this requirement covers just a very small set of accounts and those (admin) accounts should be protected by MFA anyway, so the net increase is likely very small.

Am I missing something? Looking for some clarification. I understand MFA and agree it should be used to secure your accounts, however am I correct in that one will need to 'pay' for a premium license (Entra ID) just to enable MFA for your Azure account? For example, as an individual dev with a 'non-corporate' pay as you go subscription in Azure, is this going to require them to purchase a premium license just to enable MFA on 'the' azure account itself so they can log in? This is what some are being led to believe from a conversation on another 'non-Microsoft' forum. 

Does anyone know the Enterprise Application ID related to Intune as related to this change?

This updated blog gives the ID's for the Azure Portal (used by both the Azure portal and the Entra ID admin portal), Azure CLI and Azure PowerShell but does not make any mention of Intune.

The MS provided report https://aka.ms/AzMFA also only covers these 3 and not Intune.

Sometimes I feel like Copilot wrote the announcements and didn't really understand what the issue was about...

In any case, anyone reading this post should also read Microsoft's follow up post https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/update-on-mfa-requirements-for-azure-sign-in/ba-p/4177584?WT.mc_id=M365-MVP-9501 to understand the full context of the announcement. Or read my version where I attempt to boil the issue down to the 4 points mentioned a few replies ago. https://office365itpros.com/2024/08/19/azure-mfa-requirement/

For AD sync - the account you are asking about, what role(s) does that account have?

If it has global administrator, you should really think about using a different account or changing that account from global administrator to Hybrid Identity Administrator.

From the above, I would ask if an account has Hybrid Identity Administrator are they required to register for MFA.

I feel like I’ve seen information saying administrators only and/or information saying only accounts accessing the portal and CLI.

So the word administrators is kind of subjective here.

Thank you Tony for your clarifications, that's helpful and yes if an on premises account is compromised it would be bad for them to have additional roles, yet in this particular edge case there isn't even a subscription in Azure. Nevertheless I will ask my people to review it with your link!

Maybe the title of the announcement has to be adjusted? 

"Microsoft will require MFA for all Azure users****"

with

"Microsoft to enforce MFA within Azure administration tools. Regular operations unaffected."

On-premises accounts that hold Entra administrative roles are a really bad idea because they allow an attacker that compromises the on-premises environment a route into the cloud. This is especially true for accounts holding the global administrator role. Here's how to report if you do have accounts in that category https://office365itpros.com/2024/08/20/administrative-role-assignments/

But even if you have on-premises accounts with Entra roles, the question of MFA only arises if these accounts attempt to connect to the Azure sites/tools. If this happens, the accounts must be able to satisfy an MFA challenge. Synchronization doesn't come into the question. It's all about the connection.

As to Power Apps, why would accounts used to run workflows need to go anywhere near the Azure sites/tools? MFA is only required when accessing the Azure sites/tools.