When using third-party authentication for Security Center users, we recommend deactivating all local user accounts to ensure every account follows the same authentication policies. This includes the default Admin account.
External identity providers can impose advanced authentication requirements, like the use of smartcards or Multi-Factor Authentication (MFA), to increase confidence that a user is who they say they are. After setting up third-party authentication, keeping local Security Center users active weakens the overall security of your system because local users do not follow the same authentication policies as those authenticated by the identity provider. Additionally, these separately managed accounts increase the attack surface of Security Center.
For more information, see Deactivating user profiles.