If you are under the scope of a given CA policy, MFA requirement is always enforced. If they havent completed the registration process yet, they will get prompted to do that first. It's a package deal.
If you want to separate those two, you'll have to use the good old MFA portal configuration (https://account.activedirectory.windowsazure.com/UserManagement/MultifactorVerification.aspx?BrandContextID=O365)