So here's something youze guyze ain't gonna know off the top of your balding pates...
When Vault set up with external identity provider like LDAP/OIDC/JWT/XYZ, if a user logging into Vault does not have a group definition that mapped to a policy, then it will be logging in as “default” policy
Is way to limit even the default policy, so that the domain user cannot even login and see the cubbyhole at all? Unless they are part of a group that have a policy mapped
Well, you can modify the default policy, of course.
But I suspect that's not gonna help most of you.
This flag in the API,
token_no_default_policy, might help, at least for the JWT/OIDC auth method with its various providers: https://www.vaultproject.io/api-docs/auth/jwt#token_no_default_policy
And a quick quack of the ol' DDG shows that it seems they slapped this sucker on most of the other auth methods:
So, there you go! If it works, you may express your gratitude for my generosity in the comments.
If it doesn't work, you may express your boundless rage for my imbecility in the comments.