How to prevent some users from logging into Web Portal?

Our customer does not want external users to be able to log into Web Portal. But their managers should be able to request access for them.
We have Active Directory authentication, so 'generate random password and don't tell them' solution is not an option.

Another approach that I can think of is to change IIS configuration to allow access only for members of specific AD group (and grant thid group to all internal employees)

Is there a better solution?