Login Control is a service that allows you to enable / disable single sign on (SSO) and access for each of the main browsers on each operating system individually. You can set SSO to Forced, Internal Only, or Off for each browser, and can block users from being able to authenticate on certain browsers.
You can also set an IP range. Anyone connecting using that IP range will be considered to be accessing from an internal location, even if not actually on-premises.
You can enable authentication using SamAccountName. Once enabled, users will be able to use their SamAccountName instead of their Email / UPN, however this is only supported for internal connections.
For further details please see https://www.iamcloud.com/login-control/