"They work only after a password has been entered"
The Microsoft Authenticator app for iOS and Android supports a feature called Passwordless authentication, where a push notification can be sent as the first factor of authentication instead of the 2nd factor. This feature is not supported for 3rd party MFA providers like DUO, so the article is just letting you know you are sacrificing this cool functionality. To learn more about passwordless auth using the MSFT Authenticator app, check the article out here:https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-authentication-password...
"They don’t serve as MFA for step-up authentication in other key scenarios"
Azure AD Premium P2 has a feature called Azure Identity Protection, which can be used in a way where users only receive MFA prompts when there is a risk like anonymous proxy detection or unfamiliar sign-in properties based on behavioral history. To learn more about the risks that can be mitigated by step-up authentication, read about them here:https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protect...
So this article is stating that when you use AIP in this way, it does not support DUO as the step-up authentication. To learn more about Azure Identity Protection policies, check out this article here:https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protectio...
"They don’t integrate with end user or administrative credential management functions"
Azure AD Premium P2 has a feature called Azure Privileged Identity Management. This feature does not support 3rd party MFA providers like DUO.
PIM is a 'just-in-time' solution that protects users who are members of Azure and O365 privileged roles such as Global Admin. The concept is the user will be a standard user, and when and only when they need to perform a privileged task, they go to the PIM website and activate their privileged role through an MFA prompt using the Microsoft Authenticator app. Then they will have the advanced role for a period of time (which you can customize, example: 1 hour or 8 hours).
There is also another feature that will not work that the documentation neglects to mention, which is Office 365 ATP Plan 2 Attack Simulator, which requires using the Microsoft MFA App.
If you found this helpful, please reward my time by marking this as the best answer.