Based on custom logic
In /etc/pam.d/sshd, add
session required pam_exec.so stdout /mylogic
/mylogic will be executed with environment variable $PAM_USER which is the user trying to logging in. You can run any custom logic against the user.
/mylogic can write to stdout, which will be displayed for the end user.
Based on user name or group name
Section 1 certainly is able to accomplish this task because you know the user from $PAM_USER. But a simpler way is to use AllowGroups or AllowUsers in /etc/sshd/sshd_config. You can also place files in /etc/sshd/sshd_config.d.
Block all users except root(?)
Create file /etc/nologin. No users can log in with the presence of the file. The content of the file will be printed for displaying a reason.
Only root can log in.