How to write an AWS IAM policy to enforce MFA without enabling AWS cli MFA

Question

I am trying to find the best way to go about writing an AWS policy such that users are required to use MFA for console access, but they aren\'t required to use MFA for cli acces