Given that you have a Microsoft 365 subscription alongside an Azure subscription, both with Microsoft 365 Defender and Microsoft Defender for Cloud enabled, consider a scenario where your Azure subscription includes 50 virtual machines, each running different applications on Windows Server 2019. You are tasked with ensuring that only authorized applications are able to execute on these virtual machines. In cases where an unauthorized application attempts to run or be installed, it must be automatically blocked until an administrator grants authorization. What security control would you recommend to achieve this?