Contact Us 1-800-596-4880

Connected Apps for Organization Administrators

As an organization administrator at the root organization or business group level, you are the only user who can view and manage connected apps in Access Management. You can use authorization policies to dictate which apps can be authorized to access user data, and you can add apps that users want to use to an allowlist. To manage your connected apps, navigate to Access Management and select the Connected Apps tab. You can add apps in the Owned Apps section and manage app access in the Authorizations section. For more information about the Owned Apps section, see the documentation for app developers.

To maintain security, you can view and manage connected apps only if you have the Organization Administrator permission in the root organization or in the business group where the connected app resides.


You can use the Authorizations section to manage which apps are authorized to access your users' data. Click the …​ icon next to an application to view more details or to remove the app from your organization. When you revoke an app’s access, the app’s OAuth 2.0 access tokens and refresh tokens are revoked, and the app can no longer access user data.

You can configure one of two types of authorization policies for your users:

  • Unrestricted

    Organization members can authorize any connected app to act on their behalf.
  • Restricted

    Only connected apps that are added to an allowlist by an administrator can be authorized by organization members to act on their behalf.

By default, the Unrestricted policy is enabled. If you change the policy to Restricted, the application allowlist is enabled, and all existing application authorizations are added automatically. When using the Restricted policy, you may disable auto-approval of all internal apps, in which case each internal app must be added to the allowlist like any other connected app.

Application Allowlist

When the allowlist is enabled, organization users can use only applications that are on the allowlist. If a user attempts to authorize an app that is not on the allowlist, they are prompted to contact their organization administrator.

The interface the user sees when an app is not on the allowlist

Organization administrators are able to add the app to the allowlist by following the link given to them by the end user.

The interface the administrator sees when they add an app to the allowlist

Sometimes, apps start to ask for additional scopes. This happens when app developers add new features to their products and need to access more data in your organization. Previously allowed apps must be added to the allowlist again with the new set of scopes before your users can grant those additional scopes to the app.

The interface the administrator sees when they readd an app to the allowlist

Existing authorizations continue to work if the app is not added to the allowlist again. New authorizations using the already-allowlisted set of scopes are also allowed. Apps that remove scopes do not need to be added to an allowlist again.

Applications created by users in the same organization are marked as internal apps and do not need to be allowlisted manually.

Root Organization and Business Groups

By default, connected apps are configured at the root organization level, not at the business group (sub-organization) levels.

When you create a connected app to act on its own behalf using client credentials, you can choose which root organization or business groups to enable it in after you choose scopes.

A connected app that acts on behalf of a user receives its own access and permissions based on the scopes, organizations, and business groups to which the user has access.