If you only trigger the microflow once after the XAS has started, it doesn't block users which are created after the trigger. Therefore, you should trigger a scheduled event or on change event (of user) which blocks users which are not allowed to login on the specific server.
Further, for each application you can configure which scheduled events should be trigger in the application.conf file. As a consequence, you do not have to use constants in this case.