Box 1: Yes -
Active assignments don't require the member to perform any action to use the role. Members assigned as active have the privileges assigned to the role at all times.
Box 2: Yes -
While Multi-Factor Authentication is disabled for User2 and the setting Require Azure Multi-Factor Authentication for activation is enabled, User2 can request the role but will need to enable MFA to use the role.
Note: Eligible assignments require the member of the role to perform an action to use the role. Actions might include performing a multi-factor authentication
(MFA) check, providing a business justification, or requesting approval from designated approvers.
Box 3: No -
User3 is Group1, which is a Selected Approver Group, however, self-approval is not allowed and someone else from group is required to approve the request.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-resource-roles-assign-roles
