Authentication method by user or group

Describe your question in as much detail as possible:
We enabled Azure OmniAuth with Azure MFA for all of our staff. Recently we had the need to enable an external user. We enabled GitLab’s standard login for the external user, placed that user in a group with two-factor enforced for the group. We discovered that all users are able to log in with GitLab’s standard login. Is there a way to specify which authentication method is available by user or group?

  • What are you seeing, and how does it differ from what you expect to see?
    Normal users are able to use GitLab’s standard login, bypassing the Azure MFA. I would expect to be able to force normal users to authenticate with Azure OminAuth and force external users to use the standard login.

  • Consider including screenshots, error messages, and/or other helpful visuals
    None

  • What version are you on (Hint: /help) ? and are you using self-managed or gitlab.com?
    Self-managed - version 12.8.1

  • What troubleshooting steps have you already taken? Can you link to any docs or other resources so we know where you have been?
    I have search for a solution, but not been able to find one. All I can find is a way to disable the standard login for the site, but not how to specify which users are authenticated by which method.