Secure your Connected Apps

As of September 2025, Salesforce enforces stricter security for Connected Apps (see the Official Documentation and this Salesforce Ben article).

By default, only System Administrators are allowed to use new Connected Apps. However, existing user authentications (OAuth tokens) are not automatically revoked and can still be used, which is risky because they aren’t secured.

This means that for every Salesforce org integrated with external systems, especially Production orgs, some manual configuration must be performed in Setup to comply with the new Salesforce security policies.

Table of Contents

• • Detect Unsecured Connected Apps
    • Using the VS Code extension
    • Using Org Monitoring
  • Analyze Connected Apps
    • Identify Connected Apps to keep
    • Define access for kept Apps
  • Update configuration
    • Block Connected Apps
    • Secure Connected Apps
      • Install the app if not installed
      • Configure App Policies
      • Set Profiles and Permission Sets
  • Verify your new configuration

Detect Unsecured Connected Apps

First, identify the unsecured Connected Apps that are currently in use.

Using the VS Code extension

To do that, use the sfdx-hardis command Org Monitoring -> Unsecured Connected Apps.

• If you don’t have sfdx-hardis yet, please follow the installation instructions.

Select the org you want to analyze, then run the Unsecured Connected Apps command. You’ll see a list of unsecured Connected Apps.

To view the full list, click the Unsecured Connected Apps (XLSX) button to open it in Excel.

Using Org Monitoring

If you use sfdx-hardis Org Monitoring, a daily check runs and sends Slack/Teams notifications if unsecured Connected Apps are found. Click View Job, then download the artifacts to get the Excel report files.

If your monitoring is integrated with Grafana, you can also detect unsecured Connected Apps using the Home dashboard indicator. Click the number, then click the date in Date generation Date & Time to access the job and its artifacts containing the Excel files.

Analyze Connected Apps

In the Excel file, add three columns to the right of the AppName column:

• To keep
• Profiles
• Permission Sets

The goal is to decide for each Connected App whether it should remain available, and who can use it.

Identify Connected Apps to keep

First, identify the Connected Apps you want to keep and mark them in the corresponding column.

• The Last Usage Date and Profiles of users using it columns help you decide whether to keep access open. If the last usage was several years ago, you probably don’t need the Connected App.

• If you don’t recognize a Connected App, you can see who used it and when by clicking the Unsecured OAuth Tokens (XLSX) button and filtering on the Connected App column. Ask the relevant users what those unknown apps are.

If the only user is Platform Integration User, you can keep the app and restrict it to the System Administrator profile.

Define access for kept Apps

Filter your Excel file to display only rows with To keep = Yes.

For each Connected App that you decide to keep available, define who can access it using: Profiles – Permission Sets – Or both

• Once a user is assigned to the specified profile or to one of the permission sets, they will be able to access the Connected App.

Enter profiles and/or permission sets in the corresponding columns.

Update configuration

Click the Review OAuth Connected Apps button to open your org’s Setup page: Connected Apps OAuth Usage.

Block Connected Apps

For all Connected Apps that you don’t want to keep, click “Block”. A button Unblock will appear, indicating the Connected App is no longer accessible to anyone. Repeat this operation for all the apps you want to make unavailable.

Secure Connected Apps

Apply the following steps to all the apps you want to keep available:

• Install (install the app if not installed)
• Configure App Policies
• Select Profiles / Permission Sets

For all Connected Apps that you want to keep, click “Install” if the button appears.

• If the button name is Uninstall, the app is already installed. You can skip this step and click Manage Policies.

Confirm the installation on the confirmation screen.

Configure App Policies

You can reach App Policies via the Manage Connected Apps Setup menu, after installing an app, or by clicking Manage Policies on Connected Apps OAuth Usage. Edit the policies of the app you want to secure by clicking Edit Policies.

Select Admin Approved Users are Pre-authorized.

Define a token expiration (based on the app’s criticality and where the token is stored, you can set a longer or shorter duration). Click Save.

• When a token expires, human users must re-authenticate using MFA/SSO, which is safer.

Set Profiles and Permission Sets

On the Connected App policies page, you’ll see sections Profiles and Permission Sets. Select the Profiles and/or Permission Sets whose assigned users are allowed to access the Connected App.

Verify your new configuration

After you’ve blocked or secured all Connected Apps, run the sfdx-hardis command Org Monitoring -> Unsecured Connected Apps again to verify that there are no remaining unsecured Connected App OAuth tokens.

Contact

Need help? Please contact our team.