Inicio de sesión con Facebook
Volver al documento en Español (España)
Este documento se ha actualizado.
La traducción en Español (España) no está disponible todavía.
Actualización del documento en inglés: 6 nov.
Actualización del documento en Español (España): 22 jun. 2023

Managed Meta Accounts & Third-party Integrations

Overview

Managed Meta accounts are an account type for business tools across Meta. Organizations are able to manage these accounts with administrative features including single sign-on (SSO) support, automated account provisioning and more. With these accounts, individuals can access Meta’s business tools, such as Business Manager, with their work credentials, without needing to use their personal Facebook account.

Since managed Meta accounts are meant to be used for work only, the following are constraints within the managed Meta accounts type:

  • Does not have a social timeline or Facebook News Feed
  • Cannot access consumer-facing products or surfaces on facebook.com, except for access to post as the Page
  • Cannot have personal asset permissions (must be through a business account)
  • Can only grant business app type permissions and cannot grant user_* related permissions, such as user_friends or user_posts. Note that managed Meta accounts can still complete login flows requests, but will ignore user_* related permissions.
Se ha producido un error
Tenemos problemas para reproducir este vídeo.
Más información

Third-party app integration

Businesses undergoing migration to managed Meta accounts will transition users from using their Facebook accounts to using their work credentials to access Meta’s business tools. Users must complete the migration process before the deadline, which is determined at the business level, to maintain access to Meta's first-party and third-party tools. It is important to note that the deadline is specifically set by the organization for individual users within particular business units. Upon successfully completing the migration, users will be able to log into Business Manager using their managed Meta accounts instead of their Facebook accounts, ensuring continued access to necessary tools and resources.

If your app is accessing clients’ business assets using System user access tokens or partner sharing, your third-party integration should not be impacted. If your app is using User access tokens (or Page access token generated from User access tokens), your app’s permissions and access to business assets granted by Facebook accounts will not automatically transition to the new managed Meta accounts. Users will be required to regrant permissions to those business assets using their new managed Meta accounts to preserve your apps' access to those assets.

Guidelines for Tech Providers

To proactively minimize potential disruptions to your API calls, it is recommended your app provides the following:

  • Ability to proactively reauthorize an asset (e.g. page, ad account) before token invalidation. This can be done by periodically checking the user_access_expire_time field of each asset and prompting the user to reauthorize if a timestamp is returned.
  • Ability for users to bulk reauthorize assets for disconnected or soon-to-be disconnected assets. This can be done by providing a "Reconnect" or "Replace Expired Tokens" button in your application that allows users to reconnect all their business assets at once instead of one by one. The button should trigger an API call to your server with a list of business asset IDs and a new access token as parameters. Your server can then use the new access token for each of the business assets in the list and store them securely in your application's database or storage.

    • Getting started with testing

    Sandbox to validate that managed Meta accounts are supported by your integrations.

    Test managed Meta accounts

    In the Test Users section of your app dashboard, we provide a way to create and manage simulated managed Meta accounts to test your app's implementation of Facebook Login and any permissions or features your app uses. By leveraging the Test User Tool's capabilities for creating and managing Meta account test users, you can ensure a smoother experience for users logged into managed Meta accounts while integrating Facebook Login functionality into your app.

    These test accounts cannot interact with real users, and any data you generate with a test user will only be visible to other test users on your app, or to real users who have an Administrator, Developer, or Tester role on your app. You can create, edit, delete, and login as a test user only through your App Dashboard (not via Graph API).

    Limitations

    Please refer to the primary documentation for additional details on test user limitations. The same limitations for test Facebook users apply to test managed Meta accounts, except that apps are limited to 1 test managed Meta account.

    Creating test work accounts

    You can create test users in the App Dashboard by going to the Test Users section in the Roles > Test Users panel, choosing the managed Meta accounts tab, and clicking the Create test users button. This will open a dialog that allows you a test account.

    The Create Test Accounts dialog allows you to:

    • Create a single test account.
    • Select whether the created test account will have the app installed by default.
    • Select the Graph API version to use in calls.
    • Grant permissions for the app for each test user.

    Once created, test users will appear in the managed Meta accounts table.

    Testing with managed Meta accounts

    You can test your app with a test account by using the test managed Meta account's credentials in Facebook Login and granting your app any permissions it needs. You can also grant your app permissions on behalf of a test user by clicking the ellipsis icon (•••) in the Options column within a given test user's row in the managed Meta accounts table. Clicking the ellipsis icon will give you the option to edit the permissions the test user has granted your app, generate User access tokens for the test user, and log into the test user's account.

    After you log into the test account, it is recommended that you assign the business assets needed to go through your app integrations successfully. You can do so by navigating to Business settings to manage your test user’s business portfolio and assets assigned to your test user such as pages, ad accounts, and product catalogs.

    Simulate migration with test users

    You can simulate the changes in business permissions that occur when a Facebook user transitions to a managed Meta account, allowing you to test the impact of user migrations on your app. To use this feature, visit the Facebook test user, click the ellipsis icon (•••) in the Options column, click Transfer business permissions to a managed Meta account, and follow the instructions.

    The following prerequisites must be met to use this feature:

  • Create a Facebook test user
  • Ensure the Facebook test user has access to a business portfolio with assets (like pages or catalogs)
  • Ensure the Facebook test user has granted permissions to the business data
  • Create a test user to transfer business permissions to

    • After you have completed a transfer, you will be able to:

  • Login with the account to preview the user onboarding experience
  • Fetch user_access_expire_time fields with Facebook test user’s User Access Token

    • Webhooks

    Webhooks are a tool for applications to receive automatic notifications about changes to a user's access to specific data assets. The Webhooks tool enhances your development application by providing timely automatic updates. Upon subscription, the webhook sends a notification to your development application. This notification includes a payload with the user's app-scoped ID and the expiration time.

    Key Features:

    • 30-Day Notification: The tool alerts you 30 days in advance when a user initiates the managed Meta accounts migration or extends their migration period.
    • Access Expiry Alert: It informs you precisely when access will be lost due to the migration.

    Note: The webhook notifications are triggered at the start of the 30-day window upon migration commencement. This ensures that your application is promptly informed about any crucial changes in user data access, allowing for a seamless transition and management of data assets.

    Subscribe

    To receive notifications, you need to subscribe to a user’s managed Meta accounts migration information. We will build a new Webhook for you to subscribe to.

    If you are new to the Webhook product, please follow our Webhooks Get Started guide to set up your webhook configuration, and test the webhooks topics you subscribe to.

    To set up the managed Meta accounts Webhooks, in the App Dashboard, go to Products > Webhooks, select Managed Meta Account from the dropdown menu, then click Subscribe to this object.

    Notification

    We will send out Webhook event notifications whenever a change to the managed Meta accounts migration expiration date (when users’ hybrid mode end) occurs. This will be during the creation of the migration and if the user requests for an extension on their hybrid mode and gets approved for a longer hybrid mode time.

    Example of managed Meta account event notification:

    {
  "field": "migration_expire_time",
  "value": {
    "user_id": "4444444444",
    "migration_expire_time" => "2024-05-04T10:00:00Z"
  }
}

    Migration APIs and troubleshooting

    The managed Meta account migration APIs and troubleshooting documentation provides information on how to determine which users and Business Accounts are migrating, their expiration date, and whether they are a managed Meta account or not. is_work_account is a boolean return type that indicates whether the user is using a managed Meta account or not. It is available in the User object. The user_access_expire_time field is a timestamp that indicates when the user's access to specific assets will be revoked. After this timestamp has passed, the user is expected to no longer have manage access to the assets. Subsequent API calls using the Facebook user's access token needing to access these specific assets will start returning permission errors. user_access_expire_time is available on the following objects:

    Limitations

    user_access_expire_time has certain limitations. It will only return expiration time data of assets which the user has explicit access through business permissions of the migrating business. For example, the data will only return a timestamp if the Facebook user is an admin of the Page through a migrating Business Account. Pages owned by the migrating business that are not directly assigned to the user will not yield a timestamp.

    Recommended usage

    The data can be used in various scenarios to enhance the functionality of your application and proactively reduce authentication and permission issues your end customers may encounter:
    • Debug whether access tokens received from your customer belongs to a managed Meta account
    • Debug when a user's access to business assets will expire
    • Send notifications or reminders to users when their access to specific assets is about to expire, and prompting them to authorize using their account to retain functionality
    • Handle API errors by detecting expired access and providing appropriate error messages or instructions to users to connect with their account with access to those business assets

    Example Graph API Calls

    1. Retrieving is_work_account status

    Request
    GET /<API_VERSION>/<USER_ID>?fields=is_work_account
    Response
    {
  "id": "<USER_ID>",
  "name": "Romane Richter"
  "is_work_account": true
}
    2. Retrieving user_access_expire_time during a 30 day window

    Request
    GET /<API_VERSION>/<OBJECT_ID>?fields=user_access_expire_time&access_token=<ACCESS_TOKEN>
    Response
    {
   "user_access_expire_time": "2023-06-23T12:00:00+00:00"
}
    3. Request to field before migration will return empty data

    Request
    GET /<API_VERSION>/<OBJECT_ID>?fields=user_access_expire_time&access_token=<ACCESS_TOKEN>
    Response
    {}
    4. Requests 30 days after migration (after user_access_expire_time) will likely throw errors

    Request
    GET /<API_VERSION>/<OBJECT_ID>?fields=user_access_expire_time&access_token=<ACCESS_TOKEN>
    Response
    {
  "error": {
    "message": "(#100) Object does not exist, cannot be loaded due to missing permission or reviewable feature, or does not support this operation. This endpoint requires the 'pages_read_engagement' permission or the 'Page Public Content Access' feature or the 'Page Public Metadata Access' feature. Refer to https://developers.facebook.com/docs/apps/review/login-permissions#manage-pages, https://developers.facebook.com/docs/apps/review/feature#reference-PAGES_ACCESS and https://developers.facebook.com/docs/apps/review/feature#page-public-metadata-access for details.",
    "type": "OAuthException",
    "code": 100,
    "fbtrace_id": "AZdHiJUBflrZnE-RNKrHAah"
  }
}

    Permissions and Errors

    To access user_access_expire_time and make API calls to it, developers should ensure that the required permissions are granted to load these objects. In the provided examples, if object-id is referring to a business object id, then the user must have been granted at least the business_management permission to load the object. Please refer here for more details.
    When attempting to access an asset after the expiration time, the API response should return a generic error with 100 and the type OAuthException. This indicates the object is no longer accessible via API, since the user no longer has access to the asset.

    See Also

    Visit the Tech Provider Integrations FAQs.

    API call disruptions related to managed Meta account migrations might be caused by:

    1. Users failing to migrate before the deadline set by their business/organization
    2. Users failing to re-authenticate with your apps using the managed Meta accounts
    Enlace permanente