I am building a React web app that allows our users to log in with their Microsoft work accounts. As it stands now, anyone with a Microsoft account would be able to log into our test site I have out there. What is the best practice for protecting logins to only your company? My first guess is to check the email domain. If it is not '@company.org', do not allow them in. I'm wondering if there is a better way. I'm also wondering if there is a way to prevent log in right at the top where they actually click their Microsoft account and type in their password? I'm sure I could figure out how to manually check their email domain and then load up my app if it is valid otherwise display an unauthorized message.
Also, I could not find any tags that matched closely to my question.