How connecting an app works
Add the app in AccessOwl
Either add a new application or open Applications and click the +-symbol, then continue. The setup instructions show you the integration account’s email address and the role it needs in the app.
Invite the integration account to the app
Invite the integration account to the app and assign it the role listed in the setup instructions. AccessOwl needs this role to create and remove user accounts on your behalf. The same integration account is reused for every app you connect.
The integration account lives in your Google Workspace or Microsoft 365 and receives the app’s invitation email there. For Google Workspace, Gmail must be enabled and 2-Step Verification must be available for the integration account. See Google Workspace for details.
What the pending status means
After you connect an app, the integration shows as pending until the setup is complete. AccessOwl is either waiting for the integration account to be invited to the app, or still finishing the account setup and the first user sync. As long as you have completed the invitation step, no action is needed on your side. The setup can take up to 10 hours, but it usually completes much faster than that. If the integration stays pending longer than expected, double-check that the invitation was sent to the integration account’s email address and that the assigned role matches the setup instructions.Connection errors
When AccessOwl can’t connect to an app, the integration shows one of three error states.Integration account not invited
AccessOwl could not find the integration account in the app. Invite the integration account, give it the role listed in the setup instructions, and click Retry.Not enough permissions
The integration account exists in the app, but its role does not allow it to manage users. Verify that the integration account has the role listed in the setup instructions and click Retry.Access denied
The integration account is blocked from signing in to the app. The most common causes:Google Error 403 - App not enabled for user
Google Error 403 - App not enabled for user
This error comes from Google, not from the app. SAML sign-in is enforced for the app on your side, and the integration account is not part of the Google group tied to the app yet. Google recognizes the account but blocks it from the app.Add the integration account to the Google group tied to the app’s SAML configuration, then click Retry.
The integration account is behind Okta or OneLogin
The integration account is behind Okta or OneLogin
The integration account authenticates directly with Google or Microsoft. If it is placed in an organizational unit that enforces Okta or OneLogin authentication, it cannot complete the sign-in.Move the integration account to an organizational unit where standard Google or Microsoft authentication is allowed and Okta or OneLogin is not enforced, then click Retry.
The same limitation applies to apps themselves. An app that only allows sign-in through Okta or OneLogin is not supported, because the integration account cannot complete that authentication flow.
Access Denied - Invalid Credentials
Access Denied - Invalid Credentials
The integration account’s password or 2FA was changed. These credentials are managed automatically and must never be replaced. Contact AccessOwl Support to restore the account.
While an integration is in an error state, affected provisioning and deprovisioning tasks are reassigned to the Application Admin, so requests are never silently dropped.
FAQ
Who manages the integration account's password and 2FA?
Who manages the integration account's password and 2FA?
The integration account is set up automatically with a passphrase and 2FA via TOTP. Never replace the password or the TOTP, as this breaks the connection for all apps using the account. If your organization has a policy that requires passwords to be rotated after a set amount of time, contact AccessOwl Support.
How do I disconnect an app that is connected to AccessOwl?
How do I disconnect an app that is connected to AccessOwl?
Disconnecting an integration is not self-serve. Contact AccessOwl Support and we will disable the integration for you.
Does AccessOwl deactivate, remove, or delete users?
Does AccessOwl deactivate, remove, or delete users?
It depends on what the app supports. AccessOwl always prefers the least destructive action first, in this order: deactivate, then remove, then delete. Each app’s page in this section states the exact action AccessOwl performs for that app.If the user owns any assets in the app, AccessOwl transfers them to the user’s manager before revoking access. If no manager is available, the assets are transferred to the business owner.
Does the integration account purchase a seat when none are left?
Does the integration account purchase a seat when none are left?
No. The integration account never purchases a seat or license. If the app has no seats left, the provisioning request results in a reassignment error and the task is reassigned to the Application Admin.