How to avoid external users to link on /cmspages/logon.aspx.
I want when they will type the www.domainname.com/cmspages/logon.aspx to block them.
I think it really depends on what you mean by an external user.
One approach I've taken before when I only want people within my office/network to be able to access the Admin pages, it to use an IP lockdown via the UrlRewrite extension. This approach works in IIS (once the extension is installed) and Azure App Services.
A rule something like this should do the trick:
<rule name="RequestBlockingRule1" patternSyntax="Wildcard" stopProcessing="true">
<match url="cmspages*" />
<conditions>
<add input="{REMOTE_ADDR}" pattern="45.56.78.*" negate="true" />
</conditions>
<action type="CustomResponse" statusCode="401" statusReason="Unauthorized: Access is denied due to invalid credentials" statusDescription="You do not have permission to view this directory or page using the credentials that you supplied." />
</rule>
This will block access to all cmspages (possibly too agressive) if the IP of the visitor does not match the given pattern.