When a new user is provisioned through SSO, we want restrict the user creation or restrict the user from 1st time login, so that we can implement an addition approval layer.
User creation during the 1st login occurs only if JIT is enabled.
Unfortunately, there is no OOB tools or examples of implementations of this functionality we can provide you with.
I will create an idea for the responsible team to consider the possibility of adding such functionality in future.
