Skip to main content
SFDC Developers
Admin

Salesforce MFA Enforcement Checklist for Admins

Vinay Vernekar · · 6 min read

Salesforce MFA Enforcement: Your Last-Minute Preparation Checklist

Salesforce production enforcement for Multi-Factor Authentication (MFA) begins July 20, 2026, with a staggered 15-day window. Organizations at the beginning of this window will face immediate enforcement without prior warning. A brief pause occurred on July 1 due to an issue with security key prompts, but the enforcement schedule is now active. With limited time remaining, this guide outlines a day-by-day plan to ensure your organization is compliant.

Before Enforcement Begins:

  • All users must have compliant MFA methods configured.
  • Privileged users (e.g., System Administrators) require phishing-resistant MFA.
  • SSO authentication signals must be validated.
  • Integration accounts require review.
  • Support staff must be prepared for user resets.

This plan assumes you're starting from scratch or need to finalize loose ends. It's structured to avoid a weekend of administrative work by front-loading critical tasks.

Day 1: Audit Your Setup and Communicate

Before making any configuration changes, understand your current environment.

Confirm Your Authentication Model

Determine how users log in to Salesforce:

  • Salesforce-Native Login: Users authenticate directly with Salesforce credentials. MFA enrollment and enforcement are managed within Salesforce.
  • Single Sign-On (SSO): Users authenticate via an external Identity Provider (IdP) like Okta, Microsoft Entra ID (Azure AD), Ping Identity, or ADFS. MFA must be enforced by the IdP, and Salesforce must receive proof of compliant authentication.

For SSO implementations, Salesforce relies on Authentication Methods References (AMR) and Authentication Context Class References (ACR) from the IdP. If these signals are not passed correctly, users may be prompted for Salesforce-native MFA or blocked from access. If you use SSO, collaborate with your identity team to ensure the IdP sends the appropriate phishing-resistant authentication signals.

Remediation Options for SSO:

  1. Configure your IdP to pass the required phishing-resistant authentication signals.
  2. Have affected privileged users register a Salesforce-native phishing-resistant method (e.g., passkey, FIDO2 security key) as a fallback.

Verifying your authentication model now will prevent significant troubleshooting later.

Identify System Administrator Accounts and Privileged Users

Identify all users with the System Administrator profile. Additionally, check for users granted elevated privileges through Permission Sets or Permission Set Groups, specifically those with permissions like Modify All Data, Manage Users, View All Data, Customize Application, or Author Apex. These users are mandated to use phishing-resistant MFA.

Use Data Loader or a similar tool to query the PermissionSetAssignment object to identify all active users with these permissions:

SELECT
    Assignee.Id,
    Assignee.Name,
    Assignee.Email,
    Assignee.Username,
    Assignee.IsActive,
    PermissionSet.Name,
    PermissionSet.Profile.Name,
    PermissionSet.PermissionsModifyAllData,
    PermissionSet.PermissionsViewAllData,
    PermissionSet.PermissionsCustomizeApplication,
    PermissionSet.PermissionsAuthorApex
FROM
    PermissionSetAssignment
WHERE
    Assignee.IsActive = TRUE
    AND (
        PermissionSet.PermissionsModifyAllData = TRUE
        OR PermissionSet.PermissionsViewAllData = TRUE
        OR PermissionSet.PermissionsCustomizeApplication = TRUE
        OR PermissionSet.PermissionsAuthorApex = TRUE
    )

This query helps pinpoint active users holding affected permissions, irrespective of whether they are assigned via a Profile, Permission Set, or Permission Set Group.

Locate Users Needing MFA Method Registration

Run a standard identity verification methods report in Salesforce Setup to see which users still need to register an approved MFA method. Compile a list of all users and identify those who have not yet registered a verified authentication method.

Communicate Proactively:

  • Send clear, concise communications explaining why MFA is being enforced (Salesforce org-wide, no opt-out).
  • Specify the enforcement timeline for your organization.
  • Provide step-by-step instructions for MFA enrollment.
  • Establish a dedicated support channel (e.g., Slack, Teams, shared inbox) for user questions.

Your goal for Day 1 is to have a complete understanding of your org's MFA status and ensure no user is blindsided by lockout.

Resources:

Day 2: Deploy MFA and Reinforce Communication

Today focuses on implementation and user enablement.

Register Backup Authentication Methods

Ensure every user registers at least one backup authentication method. Devices can be lost, reset, or damaged, leading to support overload if a user's only method is inaccessible. Prioritize users who may not have easy access to personal smartphones or dedicated devices (e.g., manufacturing, warehouse staff, contractors, shared workstations).

Deploy MFA Org-Wide

For most users, MFA deployment typically involves one of the following:

  • Salesforce Authenticator: Salesforce's mobile app.
  • Third-Party TOTP Applications: Google Authenticator, Microsoft Authenticator.

Note: Verification methods based on email, SMS, or voice calls do not satisfy Salesforce's MFA requirement and should not be used as a user's sole authentication method.

Enable Phishing-Resistant Methods in Setup

Configure and enable supported phishing-resistant MFA options for privileged users in Setup → Identity Verification. The following methods meet the phishing-resistant requirement:

  • Built-in authenticators: Touch ID, Face ID, Windows Hello.
  • FIDO2/WebAuthn security keys: YubiKey.
  • Cloud-synced passkeys: Stored in compliant platforms like password managers.

Methods that do not qualify as phishing-resistant:

  • Salesforce Authenticator push notifications.
  • TOTP applications (Google Authenticator, Microsoft Authenticator, Authy).
  • SMS-based verification codes.
  • Email verification codes.

Ensure affected users understand the requirements and have ample time to register and test their devices.

Communicate Again

Send a final reminder to users regarding the enforcement timeline, enrollment instructions, and support channels. A well-timed reminder can significantly reduce support tickets.

Resources:

Day 3 (Friday): Address Non-Standard Logins and Edge Cases

This day is dedicated to handling integrations, middleware, and critical exceptions.

Integration Users, Middleware, and API Connections

Review all connected apps, external client applications, and integration user setups. Non-human logins that fail MFA will break business processes immediately. Address any fragile configurations now.

Request Exemptions (If Necessary)

For accounts like test automation or RPA tools that rely on the "Waive Multi-Factor Authentication for Exempt Users" permission, be aware this permission ceases to function automatically upon enforcement. Obtaining an exemption requires direct contact with Salesforce Support, which should not be attempted on the morning of enforcement. Initiate this process well in advance.

Validate SSO Signals

If using an IdP, follow up with your identity team to confirm that AMR and ACR signals are being passed correctly. These signals are crucial for Salesforce to verify upstream MFA compliance. Incorrect signals will result in users being blocked.

Key Takeaways

  • Salesforce MFA enforcement is mandatory starting July 20, 2026, with a phased rollout.
  • Understand your authentication model (Salesforce-native vs. SSO) to determine where MFA enforcement occurs.
  • Privileged users require phishing-resistant MFA methods.
  • Proactive user communication and training are critical to avoid support backlogs.
  • Don't overlook integration accounts and API connections; they must also be compliant.
  • Registering backup MFA methods for all users is essential.
  • Verify SSO IdP configurations for correct AMR/ACR signal transmission.
  • Exemptions for automated processes require direct Salesforce Support engagement and should be initiated early.

Share this article

Get weekly Salesforce dev tutorials in your inbox

Comments

Loading comments...

Leave a Comment

Trending Now