Trying to secure a folder on a website using Cloudflare access. I created a group defined by 3 different emails. Then created a policy for my app to Allow and Requires that group. It seems that when I access that folder and am prompted for an email address to send the OTP to - I can successfully send OTP’s to ANY email address and logging to through Cloudflare Access to my folder.
I must be missing something…but it sure seems like the default should DENY anyone not in the policy.
Do I need to also create a Policy to BLOCK/DENY everyone else?