You can set options to allow Single Factor Authentication "fallback" when certain conditions are met. In the credprov section of the registry, adjust the SFAFallBack options to suit what you need in your environment:
SFAFallBack = 0 – Do not allow login without MFA (OTP)
SFAFallBack = 1 - Supports a user on windows that does not exist in the SP directory.
SFAFallBack = 2 - Supports a windows user that exists in the directory but has no tokens.
If you have users who are Windows users and don’t need MFA and do not have an account in the SurePass directory, then use SFAFallBack = 1.
If you have users who are Windows users and do exist in SP but don’t yet have their tokens, then you can use SFAFallBack = 2.