Using a Defender policy with "Token" followed by 'None" as authentication methods will prompt for username and token response only.
Policies can be applied to Access Nodes, or groups or even specific users. We suggest that they be applied on Access Nodes and then the Access Node membership updated for specific users. That way only those users receive the policy and it applies when they attempt to log in with Defender. Ultimately, it will depend what the best method is for the deployment. Thus, please test thoroughly to confirm the desired result.
For more information please see Knowledge Article 77387, Best practice suggestions for Defender policies