Yeah, I was thinking more of dissuading employees.

Well, first off you make this (USE UNIQUE PASSWORDS) part of orientation, and maybe have part of orientation involve rolling dice and using the diceware list.

Then, you reinforce that by using some sort of SSO setup/service (you can outsource this to someone like okta.com if necessary), so that all internal systems never have a place to set a password. (e.g., don't make people set up separate accounts with passwords on the corporate jira or bitbucket server)

Basically, not training people to reuse passwords internally can help them to not reuse their one internal password externally.

Another possibility is to simply buy a password manager subscription for every employee and have it as a perk. That's a per-employee overhead of $20-30/year.

the best approach is implement 2FA so you're not solely reliant on user password choice.

At scale, there's no way you'll get everyone to use good passwords. Random generation is a bad idea, users just write them down if you do that.