Opt certain domain emails out of SSO

For our application, in our QA environment we have the enterprise (using AAD) connection and database connection setup to authenticate a user during login.

Our enterprise is using home realm discovery so if a user types in user@email.com, where email.com is an id domain, the user is authenticated via SSO.

We have some QA ids, not in our AAD, where the intent was to be able to use our qa_user@email.com with the database connection. When you type in the qa email, lock resolves to use the enterprise connection.

The question is there a way to option out certain ids from home realm discovery? The connectionResolver does not work since that happens after submit.

Obviously I could change the domain for the QA ids but wanted to check for options first.