diff --git a/preferences/lang/egw_de.lang b/preferences/lang/egw_de.lang
index 4956ce8b41..cd1ffbf2d9 100644
--- a/preferences/lang/egw_de.lang
+++ b/preferences/lang/egw_de.lang
@@ -45,6 +45,7 @@ default format block	preferences	de	Standard Formatierung
 default preferences	preferences	de	Voreinstellungen
 delete categories	preferences	de	Kategorie löschen
 deny following groups access to acl (grant access)	admin	de	Verweigere folgenden Gruppen den Zugriff in den ACL's
+deny following groups access to application passwords	preferences	de	Verweigere folgenden Gruppen den Zugriff zu Anwendungspasswörtern
 deny following groups access to edit categories	admin	de	Verweigere folgenden Gruppen den Zugriff zum Ändern der Kategorien
 deny following groups access to preferences	admin	de	Verweigere folgenden Gruppen den Zugriff zu den Einstellungen
 deny following groups access to security popup	admin	de	Verweigere folgenden Gruppen den Zugriff auf das Popup Sicherheit
diff --git a/preferences/lang/egw_en.lang b/preferences/lang/egw_en.lang
index ca0209752a..cbf65df46f 100644
--- a/preferences/lang/egw_en.lang
+++ b/preferences/lang/egw_en.lang
@@ -45,6 +45,7 @@ default format block	preferences	en	Default format block
 default preferences	preferences	en	Default preferences
 delete categories	preferences	en	Delete categories
 deny following groups access to acl (grant access)	admin	en	Deny following groups access to ACL (grant access)
+deny following groups access to application passwords	preferences	en	Deny following groups access to application passwords
 deny following groups access to edit categories	admin	en	Deny following groups access to edit categories
 deny following groups access to preferences	admin	en	Deny following groups access to preferences
 deny following groups access to security popup	admin	en	Deny following groups access to security popup
diff --git a/preferences/src/Token.php b/preferences/src/Token.php
index 71fc587c84..b4fe6bf487 100644
--- a/preferences/src/Token.php
+++ b/preferences/src/Token.php
@@ -34,6 +34,15 @@ class Token extends Admin\Token
 	 */
 	public static function security(array $data)
 	{
+		// add token / app passwords for non-admins only if not disabled for memberships
+		if (empty($GLOBALS['egw_info']['user']['apps']['admin']) &&
+			!empty($GLOBALS['egw_info']['server']['deny_application_passwords']) &&
+			array_intersect($GLOBALS['egw']->accounts->memberships($GLOBALS['egw_info']['user']['account_id'], true),
+				(array)$GLOBALS['egw_info']['server']['deny_application_passwords']))
+		{
+			return;
+		}
+
 		Api\Translation::add_app('admin');
 
 		return [
diff --git a/preferences/templates/default/config.xet b/preferences/templates/default/config.xet
index f823bfc77c..4de8a15a9c 100644
--- a/preferences/templates/default/config.xet
+++ b/preferences/templates/default/config.xet
@@ -24,6 +24,10 @@
 					<et2-description  value="Deny following groups access to security popup" label="%s:"></et2-description>
 					<et2-select-account  id="newsettings[deny_security]" multiple="true" width="100%" accountType="groups"></et2-select-account>
 				</row>
+				<row>
+					<et2-description  value="Deny following groups access to application passwords" label="%s:"></et2-description>
+					<et2-select-account  id="newsettings[deny_application_passwords]" multiple="true" width="100%" accountType="groups"></et2-select-account>
+				</row>
 			</rows>
 		</grid>
 	</template>