Describe the solution you'd like
Plugin configuration could contain a checkbox to only allow password-based login if the user isn't attached to an SSO user, this would reduce the chances that someone forgets to update a weak/leaked password in one of the attached Wordpress instances and would not allow bypassing 2FA enforced by IdP.
Describe alternatives you've considered
There aren't many alternatives besides resetting user passwords to something secure, but they can still reset them back if password resets aren't disabled (which they can't really be).
Describe the solution you'd like Plugin configuration could contain a checkbox to only allow password-based login if the user isn't attached to an SSO user, this would reduce the chances that someone forgets to update a weak/leaked password in one of the attached Wordpress instances and would not allow bypassing 2FA enforced by IdP.
Describe alternatives you've considered There aren't many alternatives besides resetting user passwords to something secure, but they can still reset them back if password resets aren't disabled (which they can't really be).