We actually had a similar issue at one point. We have SSO required for all users. We have not deployed the Anaplan mobile app. One user saw the Anaplan mobile app in the Apple app store, downloaded it, and then tried multiple times to log in (outside of SSO).
Multiple bad attempts will cause the account to be locked. It was very confusing, because he wasn't disabled from our end and he wasn't disabled in the Administration pages. It was only after talking with Support when we realized he had been locked on the back end due to multiple bad login attempts.
My understanding is that SSO completely bypasses the normal username/password method/requirements and therefore the user doesn't even need a password set up in order to use SSO. (how would they set up a password is SSO is enforced...?)
I hope sharing this experience is helpful for others to read!
I believe, even for SSO users, if multiple bad logins are attempted (via non SSO users' log in screen), then the security feature of blocking the user kicks in. In my opinion, instead Anaplan should give an error saying that the user is a SSO based user & he/she should use the SSO log in screen.
With respect to the other point you mentioned, it will make troubleshooting easier if there is a screen which shows the list of such blocked users.