Well I was thinking along these lines:
Admin sets a policy for "any MFA required". This could either be literally any, or a list of allowed methods like Josh-Hemphill said. The latter is probably preferred by most though.
Admin changes the system authentication settings to hide undesired methods. I'm not 100% sure if you can hide the default forms based auth, but a new account would use this initially regardless. The first logon would always be without MFA because A) I don't think *all* MFA methods can be pre-supplied, so you can't really require MFA at this point and B) Passwordstate doesn't even know their preference yet. After logging in Passwordstate can just set a flag in the account "like initial logon completed".
Admin creates an account, supplies password to the user.
User logs in.
They should now go to their account settings and set up their preferred MFA method and set it as default. This default method should probably be a required field instead of being able to leave it on "inherit system setting" (nor forms auth), that's the entire point of being able to require "any" method (we don't *know* everyone's preferences, hence the system setting will not work for some).
On the next logon Passwordstate will simply check their preference and direct them to the according screen.
Alternatively, at step 5 you could automatically redirect them to their account settings and display a message like "MFA is required by company policy, set it up now". Maybe you could even prevent them from leaving there until they set up at least 1 method and change their default preference.
Admins should have a way to let them recover their account if they forget to set up MFA though, perhaps a checkbox in the admin user settings like "redo initial setup on next logon". Then it will just restart at step 4.
That would still leave the choice up to the user though, so you can't really rely on that. What I mean is, as long as you can't enforce "any" MFA the user might just leave it as-is because it's more convenient. You do require user action at *some* point though, I don't see any way to prevent that. Just have to make it very clear to them to set up MFA when supplying the account, otherwise they won't be able to log in a second time.
Another benefit of being able to require "any" method is that you could use e.g. TOTP as fallback when your primary method temporarily isn't available, because with the current account policies you can only specify 1 method if I'm not mistaken. Of course this would require modifying the login process some more, since you'd need to be able to "cancel" the current method and use a different one. Of course this would be just an addition, it's not the core of the problem.