Yes. There is no any configuration for this. Currently any user who are connected using user stores to WSO2IS, can login with SSO. For management console login, user must have the login permission. If you need to restrict the user for SSO login, you need to customize the default SSO authenticator of WSO2IS.
If you are using authorization code grant type, it means that you are using SSO login for OAuth2. But if you are using password grant type, you need to customize the grant handler to limit the user login. Details about customizing grant type can be found from here
