MDATP Integration - Unsanctioned Apps - Allow for some users?

That's the reason I've put on hold Cloud App Security project because of no simple way to control the Cloud apps via ATP. All I can do is to "discover the Shadow IT" but I have almost no control over it. I don't use expensive firewalls, I'm cloud-only and so my customers. Yes, I know about Conditional Access and 3rd party integration but I couldn't find anything to simply click 3 dots and select "block" after I received the alert.