Expired means their invite expired. Remove them, re-add, and make sure they check their spam for the invitation if they don’t see it in their inbox. You have no control over their MFA.
I think the Auth0 management dashboard user model confuses people (I hope I get this right): It is similar to the github or heroku models where you can invite anyone (any other github or heroku user) to your tenant (or your app) and you can revoke their access to your tenant, but you do not control their own Auth0 user account. E.g., someone can invite me (github user dmark) to work on their github project, and they can remove me from the project, but they have no control over my github account (including the MFA on my account). Auth0 is set up the same way.
Users within your tenant are completely separate from a tenant’s management dashboard users, though they can use the same authentication method: e.g. I can log in to auth0 using my github creds, create a tenant, and then configure that tenant so I can log into an Auth0 enabled app also using those same github creds.
Bit of a wall of text there but I’m mentioning it because you cannot delete an “Auth0 user” … you can only invite them to and revoke their access to your tenant.