Blocking third-party applications in Google Workspace

(formerly G Suite)

Why might you want to block third-party applications?

When users connect third-party applications to Google Workspace, they are asked to grant specific permissions to the application, which determine what the application is allowed to do to Google Workspace data. These specific permissions are called OAuth2 scopes.
An example would be when you connected Trelica to Google Workspace. Google will have asked you to confirm that you were happy for Trelica to access your Google Workspace data:
Trelica can highlight applications that have connected to Google Workspace and been granted high-risk OAuth2 scopes.
You may be concerned about some of the applications that Trelica has highlighted as having high-risk access permissions and want to block access to them.
Trelica lets you revoke access tokens (which means that the application loses access), but a user can still re-grant permissions. This is because the Google Workspace API doesn't let Trelica block applications permanently.
Although there is no API access, fortunately the Google Workspace admin panel now has the facility to let you block individual OAuth2 applications.

Blocking existing application access

The new settings are in Security > API Controls.
The top panel is called App Access control and the button you are looking for is called Manage Third-Party App Access.
Clicking Manage Third-Party App Access shows you a list of all the applications that have been granted access to Google Workspace in one form or another:
Sometimes applications don't show up in the list of Connected apps. This appears to be a fault in the Google Admin console. You can still block these apps by following the steps to block a new application.
You can click on one of the rows to see the specific details of the services that the application has requested and been granted by Google Workspace. Google calls them Google service APIs -- technically they’re known as OAuth Scopes:
The App Access panel at the top has an Access Configuration option which lets you choose Blocked if you want to block access going forwards:
The Third-Party App Access list shows individual “OAuth Client IDs”, and a single application can be assigned multiple Client IDs, so you may need to go back to the main list and find all instances of the application you want to block.

Blocking applications before access has been granted

This is great where applications have already requested access, but what if want to pre-emptively block an application?
Go back to the Third-Party App Access Control list, and click Configure new app. Choose OAuth App Name Or Client ID:
Enter the name of the application (or the client ID which Trelica will give you when you choose to block an application) and click Search.
This will show you a list of OAuth Client IDs (there may be several). Select them all, and click the blue Select button at the bottom right.
You can then select Blocked, and click the Configure button to confirm: