How can I enforce MFA before switching roles and using SSM login in AWS?

Description:

I need to enforce Multi-Factor Authentication (MFA) as a prerequisite for two actions in AWS:

Switching roles: I want users to authenticate with MFA before they can assume a different IAM role. SSM login: I need to enforce MFA for users before they can use AWS Systems Manager (SSM) to log in to EC2 instances. I know that MFA can be enabled for IAM users, but I’m struggling to enforce it for these specific actions.

Has anyone implemented this setup or have suggestions on how to enforce MFA during these workflows? Any examples of IAM policies or configurations would be greatly appreciated!