What is a Connected User?

Connected User refers to users whose Salesforce accounts have active connections to external systems, typically through OAuth tokens issued via a Connected App.

Where do admins manage Connected User sessions?

The Connected Apps OAuth Usage page in Setup shows which apps each user has authorized and lets admins revoke tokens.

When should you revoke a Connected User's tokens?

Token revocation is the standard response to departures, role changes, and security incidents. It immediately cuts off external systems acting under that user's identity.

Connected User

Administration🟡 Intermediate

Definition

A Connected User in Salesforce refers to a user whose Salesforce account is linked to an external system or identity provider through a Connected App, OAuth token, or SSO configuration. Connected users have an active authentication session that allows an external application to access Salesforce on their behalf. Administrators can view and manage connected user sessions and revoke access as needed.

Real-World Example

Consider a scenario where an admin at Redwood Financial is working with Connected User to ensure the Salesforce org runs smoothly and securely. They configure Connected User during a scheduled maintenance window, test it in a sandbox first, and then deploy to production. The result is tighter security and a more streamlined experience for all 200 users in the org.

Why Connected User Matters

A Connected User in Salesforce is a user whose Salesforce account has an active authentication connection to an external system, typically through a Connected App, OAuth flow, or single sign-on configuration. The connection means the external system holds an OAuth access token (and possibly a refresh token) tied to that user, which it uses to make API calls to Salesforce as that user. The user's record access, profile permissions, and sharing rules all apply to actions the external system takes through the connection.

Salesforce admins can view connected users and their active OAuth sessions through the Connected Apps OAuth Usage page in Setup. This page shows which Connected Apps each user has authorized, when the connection was last used, and gives admins the ability to revoke specific tokens. Token revocation is the standard response to a compromised user account or when an integration is being decommissioned. Monitoring Connected User activity is part of basic security hygiene, especially for orgs with many integrations or external-facing applications.

How Organizations Use Connected User

•Redwood Financial — Reviews Connected User OAuth sessions monthly as part of their security audit. Any unfamiliar Connected Apps or unused tokens are revoked, and the audit findings inform whether new integrations need additional review.
•Vertex Global — Built an alert that fires when a high-privilege user authorizes a new Connected App. The alert lets the security team verify the new connection is expected before it can do significant damage.
•NovaScale — Revoked all Connected User tokens for a former employee within minutes of their departure. The quick revocation prevented any external system from continuing to act under the departed user's identity.