In the meantime AWS itself has provided a tutorial on how to force Users to use a MFA device while still enabling them to manage a MFA device on their own. This is quite similar to the updated answer from Steffen, but differs in the details.

It works by

1. Creating a IAM Policy based on this official AWS template which basically forbids everything except IAM operations without an active MFA Login
2. Assign the Policy to you relevant IAM users – or better – IAM Groups.
3. After you created IAM users and passed them their initial credentials, the users will receive a You are not authorized to perform this operation. on all operations except on accessing the IAM security console.
4. After registering a MFA device, logging out and then again in with their new MFA token they will be able to operate everything as expected.

Update

You can enforce your requirement with an IAM Policy based on an IAM condition that specifies the aws:MultiFactorAuthAge key as outlined in section IAM Policies with MFA Conditions within Configuring MFA-Protected API Access - you can enforce this at two levels:

• Existence — To simply verify that the user has been authenticated with MFA, check that the aws:MultiFactorAuthAge key is not null. (If the user has not been authenticated with MFA, this key doesn't exist and therefore is null.)
• Duration — If you want to grant access only within a specified time after MFA authentication, use a numeric condition type to compare the key's age to a value (such as 3600 seconds).

Accordingly, a generic IAM policy for all AWS actions that simply tests for the existence of MFA authentication might look as follows:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "*",
      "Resource": "*", 
      "Condition":
      {
          "Null":{"aws:MultiFactorAuthAge":"false"}
      }
    }
  ]
}

Initial Answer

This is a case of 'it just works', i.e. there's nothing to be done regarding MFA-Protected Access for the AWS Management Console specifically, insofar the console uses the API in turn and calls every API action with the logged in user's IAM credentials accordingly (once a user has configured and enabled an MFA device, the login page will require entering the MFA token automatically) - see also section Using MFA-Protected APIs Through the Console within Configuring MFA-Protected API Access:

AWS evaluates MFA-protected API policies for actions in the console, such as terminating an Amazon EC2 instance. Set up the IAM user with an MFA device and enable an MFA-protected API policy. The user can then simply log into the console with MFA authentication and is subject to the policies for MFA-protected APIs. For users who already have an assigned MFA device, the console experience doesn't change (except for optional time limits on certain MFA-protected APIs that require more frequent re-authentication). For more information on setting up an IAM user with an MFA device, see Setting Up an MFA Device.