Disable single factor authentication for ZIA admin account from ZIA portal

Idp is enabled with Okta and also with SAML SSO The SSO login to ZIA is done via Okta.

The same admin account can login directly from ZIA portal using single factor authentication. If someone brute-force the password, they can bypass and login to the portal without okta. Is there an MFA option or a way to disable single factor login?

Create admins with only saml without pasword.