Feature: Allow Bot Detection configuration on the application level, not just the tenant.
Description: The current settings for most (all?) Attack Protection are only available at the tenant level. In many cases, this makes sense. However, enabling Bot Detection and specifically the Captcha settings at the application level would
- increase ability for teams to coordinate rollout of that feature more quickly for web applications while allowing for the app store-related delays required for most mobile apps
- allow different settings based on the product team’s assessment of risk per application, e.g. separated by sensitivity of data
- allow mobile applications to disable captcha as many users end up going through the same VPN-style IPs and thus always being considered a “Risky” login (see Google One and iCloud Private Relay)
Use-case: In our case, our mobile applications had a flaw that prevented them from working when captcha was triggered. This prevented our enabling Captcha for our web application, even though a quick test had shown the protection significantly decreased the volume of brute force attack attempts.