For security reasons, the team owner should be able to switch on an option which requires a central SSO login and prevents users from being invited or logging in via email+password.