Unwanted MFA Method Options Displayed During Login

Description:
We have DUO configured and enforced as the sole MFA provider via an external authentication setup. However, during the login process, users are still being presented with additional method options, including:
•    Email (Receive a code to reset password)
•    Hardware token (Sign in with a code from a hardware token)
•    Phone (Call or text)
•    Microsoft Authenticator
We want to remove at minimum the Email and Hardware token options from being shown, as these are not approved methods in our security policy.
What’s been done:
•    DUO is configured as the default and only intended MFA method.
•    An exemption group has been added in Azure AD Authentication Methods policy to exclude users from using SMS and Microsoft Authenticator, yet users are still prompted to set up another authentication method during login
We are in the process of transitioning users over to DUO so still need to have Microsoft authenticator as an option, but want users who are configured to use the DUO authentication method to not require another form