That is correct not possible, check and read this detailed information and WHFB is the only solution and I will say from the On-field experience many have moved to using this as it locks down with the biometric on the devices and it is as good as MFA. azure-active-directory-mfa-multi-factor-authentication
Hope this helps and Please don't forget to upvote and Accept as answer if the reply is helpful
If this answer helped you please mark it as "Verified" so other users can reference it.
==
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.