You have a couple of options.

If you use the hosted login pages/authorization code grant, disabling all grants in the application settings page will prevent people from logging in. If you use the login API and have customer-based API keys, you could turn on the 'require API key for login API' and then disable the customer's API key. If you have the Enterprise plan, you could set up an IP ACL for a unroutable IP range.

However, the easiest way to make sure an application cannot be logged into is to deactivate the application.

As of 1.62.0, FusionAuth supports pre-verification of emails and phone numbers.

More details:

https://fusionauth.io/docs/lifecycle/manage-users/verification/identity-pre-verification-using-email

https://fusionauth.io/docs/lifecycle/manage-users/verification/identity-pre-verification-using-phone

@mark-robustelli I haven't tested it again since, but I build a docker image using the base fusionauth image (fusionauth/fusionauth-app) because I have a custom plugin and kickstart file.
So my upgrade process is simply to update the base fusionauth image in my dockerfile, and then update my container in Azure. This has worked fine since 1.56, and updated through all the updates with migrations.
Edit: I just noticed that the downloaded schemas does contain a migration for 1.65, and running it on the database does make the container start now. Would have expected this migration to run on start up like the other updates though.