When authenticating for web applications, you should differentiate between internal and external employees.
Internal employees should only authenticate via single sign-on and internal IDP.
For external employees, you should define password policies and set up a logon configuration.