What is the most important tip for working with Manage Connected Apps?

Quarterly audit of Connected Apps. Confirm each is still used, scopes are minimal, permitted users are restricted. Stale apps accumulate as attack surface.

AdministrationBeginner

Manage Connected Apps

Q: What is the primary benefit of Manage Connected Apps for Salesforce administrators?

Manage Connected Apps is an administration feature that empowers admins to manage the Salesforce environment through declarative, point-and-click configuration.

Q: Why is understanding Manage Connected Apps important for Salesforce admins?

Administration features like Manage Connected Apps are fundamental to maintaining a healthy, secure, and efficient Salesforce org on an ongoing basis.

Q: In which area of Salesforce would you typically find Manage Connected Apps?

Manage Connected Apps is an administrative feature found in Salesforce Setup - the central hub where admins configure and manage the org.

Manage Connected Apps is the Salesforce Setup page that administers OAuth integrations: third-party applications and internal integrations that authenticate to the org through OAuth 2.0 or related…

Hear it

§ 01

Definition

Manage Connected Apps is the Salesforce Setup page that administers OAuth integrations: third-party applications and internal integrations that authenticate to the org through OAuth 2.0 or related protocols. Each Connected App is a configuration record representing an integration's trust relationship with Salesforce, including the consumer key, consumer secret, allowed OAuth scopes, callback URL, and any IP restrictions. The page lets administrators install, configure, monitor, and revoke Connected Apps across the org.

Two activities dominate the page. Installing a Connected App receives metadata from a third-party vendor and configures local policies (which users can use it, what scopes are allowed, whether refresh tokens persist). Monitoring views show active OAuth sessions and recently revoked tokens, supporting incident response when an integration is compromised. The administrative discipline around Manage Connected Apps is one of the most important security boundaries in any Salesforce org: every Connected App is a potential pathway for external access, and stale or over-permissioned apps are a security risk that accumulates silently.

§ 02

How Manage Connected Apps governs OAuth

What a Connected App is

A Connected App is a Salesforce-side configuration representing an external application's trust. It exposes a consumer key (public) and consumer secret (private) that the external app uses to authenticate. The app initiates OAuth flows; Salesforce returns access tokens that the app uses to call Salesforce APIs. The Connected App configures which OAuth scopes the app can request (api access, refresh_token, full access, etc.) and which users can use it.

Install versus self-create

Two paths exist. Install: the customer installs a Connected App package provided by an AppExchange vendor, populating the org with the app's configuration. Self-create: an administrator creates a Connected App directly for internal integration code or partner integration. Both produce the same Connected App records; only the source differs.

Permitted Users and admin approval

Connected Apps can be set to All Users May Self-Authorize (any user can authorize the app for their account) or Admin Approved Users Are Pre-Authorized (only specific profiles or permission sets can use the app). The latter is the more secure choice; restrict each Connected App to the smallest set of users who actually need it.

IP restrictions and Connected Apps

Connected Apps can have IP Range restrictions limiting which IPs can complete OAuth flows for the app. Combine with Login IP Range on the user profile for full IP control. For partner integrations with known infrastructure IPs, restrict tightly; for user-facing mobile apps, restrictions are usually impractical.

Token monitoring and revocation

The OAuth Usage section under Manage Connected Apps shows active access and refresh tokens per Connected App per user. During incident response, revoke tokens for compromised apps. Revoking forces the integration to re-authenticate; for legitimately compromised apps, this is the containment step. For routine cleanup of stale tokens, revoke aged tokens periodically.

Consumer secret handling

The consumer secret is the OAuth client_secret value used by the external app to prove its identity. Treat it as a credential: never check it into source control, never email it, store in a secrets vault. Compromise of the consumer secret is a security incident; rotate the secret through the Connected App detail page if it leaks.

Auditing Connected Apps

Quarterly audit: review every Connected App, confirm it is still in use, confirm scope is minimal, confirm permitted users are minimal. Connected Apps accumulate over time; teams install apps for one-off projects and forget to remove them. Stale Connected Apps with broad scopes are attack surface for credential theft.

§ 03

Manage Connected Apps lifecycle

Managing Connected Apps is an ongoing administrative responsibility. The steps below cover the audit pattern and the lifecycle operations.

Open Manage Connected Apps
Setup > Apps > Connected Apps > Manage Connected Apps. The list shows every installed and self-created Connected App.
Audit each app
For each Connected App, confirm it is still in use, scope is minimal, permitted users are restricted. Capture findings in an audit log.
Tighten permitted users
For apps still in use, restrict to Admin Approved Users Are Pre-Authorized. Assign profiles or permission sets explicitly.
Configure IP restrictions if appropriate
For partner integrations with known IPs, add IP Range restrictions. Test the integration after configuring.
Review OAuth Usage
Check active tokens. Revoke stale or suspicious tokens. Confirm no unexpected users have authorized the app.
Remove unused apps
For apps no longer in use, delete or block. Deletion is irreversible; blocking is reversible. Default to blocking first.
Document the audit
Record the audit findings and actions taken. Compliance audits expect to see this trail.

Key options

Permitted Users (Admin Approved)remember

Restrict to specific profiles or permission sets. The secure default.

Permitted Users (All Users)remember

Any user can authorize. Less secure; reserve for trusted apps.

IP Restrictionsremember

Limit OAuth flows to specified IPs. Combine with Login IP Range.

OAuth Scopesremember

Permissions the app can request. Minimize to least privilege.

Block or Deleteremember

Lifecycle operations. Block is reversible; delete is not.

Gotchas

Stale Connected Apps accumulate. Quarterly audit catches them before they become attack surface.
Consumer secret leakage is a security incident. Rotate immediately and investigate scope of exposure.
Deletion is irreversible. Block first to preserve audit trail and allow reversal if needed.
IP restrictions break some integrations. Test after configuring; partner IPs sometimes change without warning.
Manage Connected Apps permission is sensitive. Audit who has it; over-assignment lets users grant their own apps unintended access.

Trust & references

Official documentation

Straight from the source - Salesforce's reference material on Manage Connected Apps.

Manage OAuth Access Policies for a Connected AppSalesforce Help

Was this entry helpful?

Help us write better definitions. Quick reactions or detailed edit suggestions.

About the Author

Dipojjal Chakrabarti is a B2C Solution Architect with 29 Salesforce certifications and over 13 years in the Salesforce ecosystem. He runs salesforcedictionary.com to help admins, developers, architects, and cert/interview candidates sharpen their fundamentals. More about Dipojjal.

Test your knowledge

Q1. What is the primary benefit of Manage Connected Apps for Salesforce administrators?

Q2. Why is understanding Manage Connected Apps important for Salesforce admins?

Q3. In which area of Salesforce would you typically find Manage Connected Apps?

Discussion

Loading…

Loading discussion…

Back to Dictionary