FAQs

Q: What are managed Meta accounts?

A: Managed Meta accounts are an account type for business tools across Meta. Organizations are able to manage these accounts with administrative features including single sign-on (SSO) support, automated account provisioning and more. With work accounts, individuals can access Meta’s business tools (i.e. Business Manager), with their work credentials, separating login from their personal Facebook account. We plan to make these accounts available in H2 2023 to a limited number of clients (mainly larget advertisers).

Q: Which tools can be accessed with managed Meta accounts? Is there a limit to the number of tools that can be used?

A: We plan on making managed Meta accounts available as an option to access Meta business tools that are currently available in Business Manager.

Q: Are managed Meta accounts managed at the business/organization-level or at the individual user-level?

A: Migration to managed Meta accounts will be at the business or organization-level. As part of an organization migrating to work accounts, an admin will grant access to their employees to access Business Manager using their work credentials (e.g., work email address). The employee will then need to claim their work account as part of the setup process. Organizations will be able to manage employees’ work accounts centrally, with administrative features such as single sign-on, automated account provisioning and two-factor authentication.

Q: Are managed Meta accounts available for any business and Tech Providers to use?

A: We will begin rolling out managed Meta accounts in the second half of 2023. The product will first be made available to a limited number of closed beta testers (mainly advertisers) in early H2 2023, and we hope to do a phased roll out thereafter to enable more businesses and Tech Providers to access work accounts.

Once we make managed Meta accounts generally available, any eligible business and Tech Providers interested in accessing Meta business tools with a separate login will be able to do so at no additional cost. Eligibility includes requirements such as having client resourcing to support the migration and the technical know-how and tools in place, such as the ability to set up single-sign on and/or to provision users in work accounts via an identity provider. We'll share more information on general availability timelines as it becomes available.

Q: What are user experience when re-integrating with 3P Tech Provider apps?

A: Meta is delaying the potential disruption by offering a 30-day grace period, where the User/Page Access Token backed by Facebook user still has access to the business assets via third-party APIs. During the 30-day grace period, the user needs to reauthenticate on a third-party Tech Provider’s surface and create a new access token for the Tech Provider to store. By “reauthenticate”, the user has to authenticate with their MWA identity, reselect the same set of business assets, and pass back business permissions to the Tech Provider in the form of a new access token. If that 30-day grace period passes and the user has not authenticated or is still using their personal FB account, the API call will start failing.

Meta has a persistent 30-day banner in Business Manager that counts down and shows all the third-party apps that the user needs to re-authenticate with their managed Meta accounts. If a third-party app is only using a System User Access Token (SUAT), it will not show up in the section since migration doesn't impact system users.

Q: Do Tech Providers need to take their users through the regular Facebook Login or Facebook Login for Business?

A: Both regular Facebook Login and Facebook Login for Business will support managed Meta accounts. The end users who decide to migrate to Meta work accounts should be able to go through any existing web login integrations on the third-party developers’ surfaces. If end users encounter blockers throughout the flow, they’ll be able to leverage “Help Center” at the end of their Meta work accounts onboarding flow to reach their Tech Providers for support. Tech Providers can still send to Meta 1) URL to help center and 2) a generic support email address to be included in the “Help Center” for their end users.

Q: Will the managed Meta accounts login flow be the same to request an access token?

A: Yes, the login flow will be the same to request an access token regardless if the user is authenticating with their FB profile or their work account.

Q: Will a Tech Provider need to ask for any new permissions to support managed Meta accounts?

A: No, a Tech provider will not need to ask for any new permissions or implement changes to support managed Meta accounts. Essentially, users can choose to adopt having a work-issued account, and may wish to authenticate with a third-party app using this work account rather than their previously used FB account. The transition to choose which account to connect with will primarily be user driven.

Q: What can Tech Provider partners do to support end user migration?

A: If your app is accessing clients’ business assets using System user access tokens or partner sharing, your third-party integration should not be impacted. If your app is using User access tokens (or Page access token generated from User access tokens), your app’s permissions and access to business assets granted by personal Facebook accounts will not automatically transition to the new managed Meta accounts. Users will be required to regrant permissions to those business assets using their new work accounts to preserve your apps' access to those assets.

To minimize potential disruptions to your API calls, it is recommended your app provides the following:

1. Ability to proactively reauthorize an asset (e.g. page, ad account) before token invalidation. This can be done by periodically checking the user_access_expire_time field of each asset and prompting the user to reauthorize if a timestamp is returned.

2. Ability for users to bulk reauthorize assets for disconnected or soon-to-be disconnected assets. This can be done by providing a "Reconnect" or "Replace Expired Tokens" button in your application that allows users to reconnect all their business assets at once instead of one by one. The button should trigger an API call to your server with a list of business asset IDs and a new access token as parameters. Your server can then use the new access token for each of the business assets in the list and store them securely in your application's database or storage.

Q: If a user has granted a Tech Provider's app access to certain assets and they re-authenticate during the grace period, will the third-party app retain access to all of those assets (within the context of a specific Business Manager)?

A: Once a user logs in to a Tech Provider’s app with a work account via Facebook Login, they will need to re-select the assets from scratch. Once done, the third-party app will retain access to all of those assets, but only through the user access token associated with the user’s work account.

Q: Are there step-by-step CTAs that are required to be performed by Tech providers?

A: We cannot provide a definitive step-by-step end user experience because each 3P app and surface has different user flows / onboarding / access control, which results in a unique 3P installation experience.

Q: Are there any known issues preventing a user from re-authenticating with a Tech Provider’s app using managed Meta accounts

A: We don’t support mobile FB Login with these account identities on third-party surfaces yet, so we recommend users authenticate accounts via web surfaces to avoid disruptions.

Q: What does a typical end user reintegration with a Tech Provider’s app look like?

A: When a user starts reintegrating with a Tech Provider’s app using their accounts:

1. The User Access Tokens associated with their FB accounts will continue to be active for a 30-day grace period
2. During that time, that user will need to log into the App via web surfaces and re-grant permissions to business assets using their accounts
   1. the user will need to do that for each App they use
   2. the user will need to do that for each Business Manager (BM) they are part of
   3. it is possible that a user may be logged into one BM using their personal account and a different BM using their managed Meta account
3. The users will then be able to use the App with their managed Meta accounts; User Access Tokens associated with the Meta accounts are generated for Tech Providers to make API calls
4. After 30 days, the original User Access Tokens associated with their FB accounts will lose access to the migrated business assets; the user can still re-authenticate at any time using their managed Meta account to complete reintegration

Note that users are migrated at business level, i.e. a user with access to multiple Business Managers will have multiple grace periods if they choose to not complete all their migrations at the same time. They need to finish migration for each business respectively.

Q: If a Tech Provider uses a System User Access Token as opposed to a User Access Token, will those connections be impacted by this rollout?

A: No, System User access tokens will not be impacted by this rollout. Only User Access Tokens belonging to the FB users that are migrating to managed Meta accounts will be impacted, due to loss of access to business assets.

Q: Would managed Meta accounts reintegration with a Tech Provider’s app affect the app status?

A: No. It won’t trigger additional app reviews or access verifications; nor lift any existing enforcements on the app.

Q: Will existing Facebook integrations within Tech Providers’ product need to be reconnected/unauthorized after this change?

A: No, existing Facebook integrations will not expire or be deactivated. Apps will still continue to be able to use these Facebook-backed User Access Tokens. However, since the user might transfer some business assets away from their Facebook profile to their new managed Meta account, API calls that depend on the FB profile having access to specific assets may start failing due to loss of permitted access.

Q: Could a Tech Provider have an account in pilot for testing?

A: Yes. Meta work accounts sandbox self-testing tool will be accessible to Tech Provider partners via Dev Alert in Q2 ‘23.

Q: Will the managed Meta accounts need to be admins on the clients pages in order to manage their listings and authenticate via Oauth?

A: Yes, the managed Meta accounts will need to be admins on the client pages and re-authenticate via Oauth. When a user migrates their business from their personal account to their managed Meta account, the admin permissions are transferred to the managed Meta account automatically; and existing accounts will not have access to those pages after the 30-day transition window is over.

Q: How would migrating to MWA impact Meta Business Extension (MBE) integrations?

A: When migrating to MWA, MBE integrations may also be affected. Third-party partners who have implemented MBE are guided during implementation to call the API to exchange personal User Access Token for the Business Manager’s System User Access Token. If a 3P partner follows this guidance, then businesses using their app for MBE will NOT have their MBE integrations affected when they migrate to MWA. However, MBE integrations will break for apps that do not follow the guidance and instead continue to use personal User Access Tokens. Meta still encourages businesses who migrate to MWA to reintegrate with MBE, regardless of whether the integration will break.