Kinvey at this moment does not provide for BL hooks on the /login REST API call. But sometimes, especially with corporate MIC integration, it's desirable to not allow any user in the directory access to the Kinvey app. 

The best way is to deny the user to be created in the first place. Creation happens upon first login, so this is a good method to deny certain users to be created or logged in at all, and user creation will trigger the BL "preSave" and "postSave" hooks.

The logical way to implement this would be a preSave hook on the User table, to inspect the data before it is saved as a User in Kinvey. Unfortunately, in the preSavehook, the kinveyAuth structure is not yet available, so you cannot make a decision on whether to let the user in or not.

The best practice at this moment is to employ a postSave hook, as the kinveyAuth structure is present then. You can set up the MIC profile to allow certain Allowed Attributes, e.g. group membership or other pertinent information, and you can inspect those properties in the postSave hook. If you decide to not allow the user to proceed with login at that point, you must then do two things:

a) delete the User record (you can use the UserStore for that, available in both Flex and Legacy BL)

b) return an "Unauthorized" response. 

In Legacy BL, call:    return response.error(401);

In Flex call:    return complete().unauthorized().done();