What is the name of the domain?
septierdocs.pages.dev
What is the issue you’re encountering
Tried to set up a policy but not sure I’ve done it right.
May I ask if you’ve considered creating the Access Policy which is allowing only the specific or listed email addresses instead? 
Could you share how does it look like? - please hide the true email since sharing in public forums.
I’d love to do just that but I find the process confusing. Is all access denied by default or is it allowed. Do I need to allow access to specific individuals or do I deny to everyone “except” a few?
I am sorry for this.
Neither, we control this with the “action”.
Policies are evaluated based on their action type (allow, block, bypass … ) and ordering as we create them. Once a user matches an Allow or Block policy, evaluation stops and no subsequent policies can override the decision.
Add their Emails to include, yes.
If someone else enters some email which isn’t listed, they won’t get the PIN code to authenticate.
You can do it like that, just the action is vice-versa, block where Emails don’t include.
One small adjustment 
Access is deny by default. Once you add the application, all traffic is blocked unless a user passes an Allow policy. No need for the extra block rule.
1 Like