Nice. Maybe this should be an official feature to allow admins to enable provisioning auth. Perhaps is it even possible to setup multiple credentials? that way you can revoke access for a single tenant.
Without this being built in as a standard security feature, any kind of EPM solution is dead on arrival.
I just stood up a 3.0 test instance to see how things have progressed and this is a huge deal breaker. Right next to not having any ability to add custom fields.