These explain that it’s necessary to enable domain-level connections for third-party applications. But nothing really clearly explains what a domain-level connection is, why it’s necessary, and how it differs from the default tenant-level connection.
So:
What is a domain-level connection?
Why is it necessary for third-party applications?
How does it differ from the default tenant-level connection?
The short answer is a domain level connection is a connection that has been enabled for 3rd party apps. That is pretty much it.
This is necessary as 3rd party apps have a different security profile than first party apps (you don’t have complete control over the code/server for the app).
I had also deduced that it was really a “works with third party apps” flag.
One surprising behaviour I’ve seen is that after enabling this flag, 3rd party apps seem to use the connection even while the UI shows the connection as disabled for that app.
I’m still not sure what the answer to question 3 is: Why it’s called a “domain” connection, and how that is different (besides the 3rd party behaviour) to a “tenant” connection. It seems that even domain connections are part of a tenant. The terminology is confusing.