Managed Whitelist of Enterprise Applications
Please provide facility to whitelist which 3rd party applications are 'approved'.
Ideally this would be more than just single 'bit' of information, and allow multiple lists - for example, a whitelist for 'regular company business' and another for TOPSECRET, to be integrated with other parts of the azure framework, such as being used in Conditional Access Policy and the EMS E5 features.
Currently OAuth consent by any user will automatically register an application and this cannot be disabled. Blacklist is possible, but whitelist is not without completely removing ability for users to manage their own consent, which is undesirable from a data governance perspective.
a) New user Setting - "Users can register new Enterprise Applications: Yes/No" - prevent Oauth consent by user from creating new application record, can only be added to the list by a Cloud Application Administrator or higher;
b) New user Settings - "Users can request new Enterprise Applications: Yes/No" - if setting is Yes, then EA is registered automatically; and "New Enterprise Applications Require Approval: Yes/No" - if setting is yes, then newly registered applications have setting "Enabled for users to sign-in" set to No"
c) Fix the conditional access to make this easy and support conditions that only refer to 3rd party non-microsoft apps.
We have started worked on this features. For an initial release, we’re thinking on allowing admins to select the set of permissions users will be able to consent.
Ben Hatton commented
The concepts you have here are perfect, thanks I'm in edu.au so we have a challenging userbase that doesn't respond well to global settings.