I create users in my directory through a script and all of them have username-based login.
Running sign-in/sign-up policy after creating the user does not work. I can understand why: the email address normally gets verified during sign-up, as does the MFA second factor.
After forcing a login through a sign-in policy, the sign-in/sign-up policy allows sign-in. The self service password reset policy keeps failing after email verification with a validation error message.
Down side of using the self service password reset that comes with the sign-in policy is that you can't require MFA for that password reset. Being able to require MFA for self service password on accounts that were not created through a sign up policy would be very valuable.