I agree with others above. A login experience should be intuitive. Reference other public-facing websites as a model for your login (Google, Microsoft, …).
I would either:
- Enforce “Authenticated” in order to access the project at all (preferred, where any authenticated user is configured for read-only access by default, those with specific roles will be elevated).
- Allow “Public” (unauthenticated) access to the project but add tag provider + tag security to ensure that only “Authenticated/Admin” has access to write.
If you wish to reject a user’s login when they are not a member of a specific group, then you should configure the filter on your AD source to be limited to members of a specific group, whereby other members will not be able authenticate at all - and they’ll be forced to back out of authentication.
For reference: