What Salesforce Disabling the Creation of Connected Apps Really Means for Admins
Salesforce just announced a security-related change coming in Spring ’26 that affects how connected apps are created. If your first reaction was, “Okay… but do I actually need to do anything?”, you’re not alone.
The short answer: probably not right now. The longer answer: this is a signal about where Salesforce integrations are headed, and it’s worth understanding what’s changing so you’re prepared.
Let’s break it down in plain English.
First, what’s not changing
This update is not about shutting off your existing integrations.
All existing connected apps will continue to work
You can still edit, install, deploy, and delete connected apps
Connected apps can still be deployed to new orgs
Nothing will suddenly stop working in Spring ’26
If you already have SSO tools, integrations, or third-party apps using connected apps today, they will keep running as they do now.
So… what is changing?
Starting in Spring ’26, Salesforce will no longer allow customers to create new connected apps by default.
Here’s what that means in practice:
Admins won’t be able to create new connected apps via:
Setup UI
APIs
The only exceptions:
Connected apps created as part of a package installation
Or if Salesforce Support temporarily enables creation for your org
This is part of Salesforce’s long-term plan to retire connected apps and replace them with something newer and more secure called External Client Apps (ECAs).
Why is Salesforce doing this?
Connected apps have been around for a long time, and while they work, they come with some challenges:
Packaging and distribution can be clunky
Security controls are harder to manage at scale
They weren’t designed for modern integration patterns
External Client Apps (ECAs) are Salesforce’s “next-generation” version of connected apps. They:
Offer stronger security controls
Use second-generation managed packaging
Are easier to distribute and manage long term
Rather than turning off connected apps overnight, Salesforce is taking a gradual approach:
Stop creating new connected apps
Give customers time to inventory and migrate
Eventually move connected apps to End of Support
What should Admins do now?
1. Stay aware and Prepare
Any time you approve an app that connects to Salesforce, you’re granting access to your data.
Good habits still apply:
Only approve apps from vendors you trust
Be cautious if someone asks you (via email or phone) to install an app
When in doubt, pause and verify
If something feels suspicious, report it to:
Your Salesforce admin team
Your security team
Salesforce Security: security.salesforce.com/contact
2. Inventory your existing connected apps
You don’t need to migrate everything tomorrow, but you should know what you have.
A simple inventory can include:
App name
What it integrates with
Business owner
Whether it’s still actively used
This gives you a head start as Salesforce moves closer to full End of Support. You can easily see what connected apps are actually being used by navigating to Setup > “Connected Apps OAuth Usage“. Click on the number in the “User Count“ column to see which users are using the connected app and when they last used it. (FYI, if no one has used it in a while, best practice is to revoke all connected users’ access)
3. Start planning for External Client Apps (ECAs)
If you’re:
Building new integrations
Working with vendors on new SSO solutions
Installing modern third-party apps
Expect to see ECAs instead of connected apps more often.
Over time, “How do we create a connected app?” will turn into:
“Does this vendor provide an External Client App or managed package?”
This is an important question to start asking now when evaluating solutions and the vendor mentions SSO authentication or connected app authentication (not to be confused with External Client Apps, which are a different configuration, much more secure, and not mentioned in this change).
What will approving SSO and integrations look like going forward?
For admins, the experience will shift from building integrations yourself to approving packaged integrations.
More often, you’ll:
Install a managed package that includes an ECA
Review access scopes and permissions
Assign users or permission sets
Approve the app only after validating the vendor and use case
In other words, less custom setup, more standardized, secure installs.
Salesforce already added a new layer of security to connected apps in 2025 that now prevents users from connecting anything via SSO without specific permissions in Salesforce. So you shouldn’t expect to see any impact on user experience.
The big takeaway
This update is less about immediate action and more about direction.
Nothing breaks in Spring ’26
Existing connected apps are safe (for now)
Salesforce is clearly signaling the future: External Client Apps
Admins should shift from creating or approving integrations to governing and approving them
If you start inventorying now and expect ECAs for new integrations, you’ll already be ahead of the curve.
And honestly? That’s a pretty good place for admins to be.
Ready to Measure and Drive User Adoption?
Curious what your users are actually doing in Salesforce all day? Struggling to capture meaningful metrics on user adoption and usage of the platform? RecordWatch is the first fully Salesforce native solution available on the Salesforce AppExchange that was designed specifically for admins, managers, and leadership to measure and drive Salesforce adoption!
Check out our on-demand demo to learn how RecordWatch can help your organization measure and drive Salesforce adoption.
