You’ll want to look into using a Post-Login Action - Essentially, you will disable MFA for you tenant, and then using an Action enable it for any users, apps, etc. you want to use MFA. The details are outlined in the following FAQ:
my requirement is the authenticator will be on for every user for first time but after login the user will be able to on/off the authenticator for his profile