Skip to main content
News

Salesforce Connected Apps Security – The Ultimate Guide

By 11 September 2025No Comments

Secure your Connected Apps

As of September 2025, Salesforce enforces stricter security for Connected Apps (see the Official Documentation and this Salesforce Ben article).

By default, only System Administrators are allowed to use new Connected Apps. However, existing user authentications (OAuth tokens) are not automatically revoked and can still be used, which is risky because they aren’t secured.

This means that for every Salesforce org integrated with external systems, especially Production orgs, some manual configuration must be performed in Setup to comply with the new Salesforce security policies.

Table of Contents

Detect Unsecured Connected Apps

First, identify the unsecured Connected Apps that are currently in use.

Using the VS Code extension

To do that, use the sfdx-hardis command Org Monitoring -> Unsecured Connected Apps.

Select the org you want to analyze, then run the Unsecured Connected Apps command. You’ll see a list of unsecured Connected Apps.

Unsecured connected apps list

To view the full list, click the Unsecured Connected Apps (XLSX) button to open it in Excel.

Unsecured Connected Apps Buttons
Unsecured Connected Apps List Excel

Using Org Monitoring

If you use sfdx-hardis Org Monitoring, a daily check runs and sends Slack/Teams notifications if unsecured Connected Apps are found. Click View Job, then download the artifacts to get the Excel report files.

Connected Apps Monitoring

If your monitoring is integrated with Grafana, you can also detect unsecured Connected Apps using the Home dashboard indicator. Click the number, then click the date in Date generation Date & Time to access the job and its artifacts containing the Excel files.

Connected Apps Monitoring Grafana
Connected Apps Monitoring Grafana DTL

Analyze Connected Apps

In the Excel file, add three columns to the right of the AppName column:

  • To keep
  • Profiles
  • Permission Sets
Unsecured Connected Apps Add Columns

The goal is to decide for each Connected App whether it should remain available, and who can use it.

Identify Connected Apps to keep

First, identify the Connected Apps you want to keep and mark them in the corresponding column.

  • The Last Usage Date and Profiles of users using it columns help you decide whether to keep access open. If the last usage was several years ago, you probably don’t need the Connected App.
Connected Apps to keep
  • If you don’t recognize a Connected App, you can see who used it and when by clicking the Unsecured OAuth Tokens (XLSX) button and filtering on the Connected App column. Ask the relevant users what those unknown apps are.
Connected Apps Auth Usage

If the only user is Platform Integration User, you can keep the app and restrict it to the System Administrator profile.

Define access for kept Apps

Filter your Excel file to display only rows with To keep = Yes.

For each Connected App that you decide to keep available, define who can access it using: Profiles – Permission Sets – Or both

  • Once a user is assigned to the specified profile or to one of the permission sets, they will be able to access the Connected App.

Enter profiles and/or permission sets in the corresponding columns.

Connected Apps Profiles PS

Update configuration

Click the Review OAuth Connected Apps button to open your org’s Setup page: Connected Apps OAuth Usage.

Connected Apps Review Button
Connected Apps Oauth Usage Setup

Block Connected Apps

For all Connected Apps that you don’t want to keep, click “Block”. A button Unblock will appear, indicating the Connected App is no longer accessible to anyone. Repeat this operation for all the apps you want to make unavailable.

Connected Apps Block Confirm

Secure Connected Apps

Apply the following steps to all the apps you want to keep available:

  • Install (install the app if not installed)
  • Configure App Policies
  • Select Profiles / Permission Sets

For all Connected Apps that you want to keep, click “Install” if the button appears.

  • If the button name is Uninstall, the app is already installed. You can skip this step and click Manage Policies.

Confirm the installation on the confirmation screen.

Connected Apps Install Validate

Configure App Policies

You can reach App Policies via the Manage Connected Apps Setup menu, after installing an app, or by clicking Manage Policies on Connected Apps OAuth Usage. Edit the policies of the app you want to secure by clicking Edit Policies.

Connected Apps Edit Policies

Select Admin Approved Users are Pre-authorized.

Define a token expiration (based on the app’s criticality and where the token is stored, you can set a longer or shorter duration). Click Save.

  • When a token expires, human users must re-authenticate using MFA/SSO, which is safer.
Connected Apps Edit Policies Update

Set Profiles and Permission Sets

On the Connected App policies page, you’ll see sections Profiles and Permission Sets. Select the Profiles and/or Permission Sets whose assigned users are allowed to access the Connected App.

Connected Apps Select Profiles PS

Verify your new configuration

After you’ve blocked or secured all Connected Apps, run the sfdx-hardis command Org Monitoring -> Unsecured Connected Apps again to verify that there are no remaining unsecured Connected App OAuth tokens.

Connected Apps All OK

Contact

Need help? Please contact our team.

I need help