Zero Trust - Unable to add user to an access policy

Hi I had the same issue (I included specific users in my access policy, but everyone got an OTP email response, even if not on the list), and was able to figure it out on my own.
See CF Tunnel Application Access Policy: limit to email in access group

Basically, after the “allow” policy which includes the users you want to allow, you need to set a second, “block” policy to block “everyone”. Kind of like firewall rules. Would be nice if the documentation included this info, but at least this now works for me.