I want to create a locked down Environment for my CDS for Apps stuff - whenever I create an environment, it looks like every user in the company's AAD tenant is a valid and enabled user. How can I create an environment that is secure by default and locked down? Having to tab through 334 pages and disable users seems silly.
If it *is* secure by default, the UI certainly doesn't communicate or inspire that confidence.
Yes, your tenant's user records are sync'd down to the environments User's table in CDS automatically, but they are not actually given permission to any actions or data in the environment until you assign them a security role. The two exceptions are:
1. The user who creates the environment is automatically added to the System Administrator role
2. AAD Global Admins are automatically added to the System Adminsitrator role.
You can see details here for how to assign security roles: https://docs.microsoft.com/powerapps/administrator/database-security.