You are here:
Configure OAuth Policies: Manage External Client App OAuth Usage
This security setting provides Salesforce admins with a centralized interface to monitor, install, and block individual External Client App instances to regulate which third-party integrations can actively access organizational data.
Control Name
External Client Apps: Configure OAuth Policies: Manage External Client App OAuth Usage
Recommended Configuration
Manage External Client App OAuth Usage.
Control Overview
This security setting provides Salesforce admins with a centralized interface to monitor, install, and block individual External Client App instances to regulate which third-party integrations can actively access organizational data.
Security Risk If Not Configured
Unmonitored OAuth usage for external client applications leads to unauthorized application activity and data exfiltration that may proceed undetected due to a lack of visibility into active session lifecycles and integration permissions.
Threat Scenarios
A previously authorized but now insecure third-party application continues to programmatically harvest sensitive records long after its business utility has ended because the admin has no mechanism to audit or revoke its active OAuth footprint.
Estimated CVSS Score Range
High (7.0–8.9).
Risk Impact Considerations
Failure to actively manage application usage results in an unmanaged attack surface where compromised external services can maintain a persistent connection to the Salesforce environment without being subject to periodic security reviews.
Higher Risk When
When external applications are granted broad scopes—such as full data access or refresh token capabilities—and are not subject to automated session expiration or IP-based restrictions.
Low Risk When
If the company uses real-time Event Monitoring to alert on unusual API traffic patterns and enforces a strict approval process before any External Client App can be installed in the production environment.
Business and Integration Considerations
Implementing usage management to keep the company compliant with data processing agreements, though blocking a widely used integration without prior notice can result in critical business process interruptions.
Recommended Remediation
Go to the OAuth Usage page for External Client Apps to review active integrations, uninstall unnecessary applications, and block any suspicious or unapproved clients from accessing the org.
Security Health Review Guidance
Security Health Review identifies the continuous monitoring of OAuth usage as a strongly recommended standard to maintain a hardened security posture, so that all third-party access is explicitly tracked and aligned with current business requirements.
