Hi team
As part of a security initiative, we are hardening configurations across all resource providers to ensure only admin-approved third-party applications can access our tenant via OAuth.
We'd like to understand:
- Does Smartsheet support an OAuth app allowlist or a "block all unapproved 3rd-party apps by default" setting at the Enterprise admin level?
- If yes: how do we enable it, and can we review/approve apps individually before granting user access?
- If no: is there a roadmap plan for this capability? Are there any alternative admin controls (e.g., restricting API token creation, disabling 3rd-party connectors, or limiting OAuth scopes)?
- Can we get a list of all currently authorized 3rd-party OAuth apps and which users granted consent in our org/tenant ?
Our goal is to move to a default-deny posture where users cannot authorize arbitrary 3rd-party apps against our Smartsheet tenant without admin pre-approval. Please let us know the best path forward or if a call with your security/platform team would be appropriate.
