You can't really do this. If you update login to require a password reset, person has to login first with old password before they are prompted to change their password. And during that password reset they need to enter their old password again also. However, if we change the authentication provider, the password hash will no longer work, so user will not be able to login.
The Arena authentication provider in Rock though will change the person's login account to use the "Database" provider. The first time they login using an Arena login, the provider verifies their password using the Arena hash. But since it can capture their password at that time (since they just typed it in), it will then convert their login to use the database provider and is able to save the same password hashed the way the database provider hashes it.
So, anyone who still has an Arena login has never logged into Rock with that username. If they had, it would of automatically be converted to a database login.
You might want to just suggest to them, that we just delete the Arena logins after a given amount of time (i.e. a year after they migrated to Rock).