This is again a defense in depth thing. In the age of WFH, cracking a corporate VPN is really not that difficult. If you can make an attacker's life harder for low cost you should do it just in case.
Except you ain't really putting up a meaningful obstacle against an attacker here. Compared to the typical effort of cracking a corporate VPN, brute-forcing IDs is downright trivial.
Like I said elsewhere: it's like calling ROT13 "defense in depth".
Like I said elsewhere: it's like calling ROT13 "defense in depth".