Salesforce MFA Enforcement: Your Last-Minute Preparation Checklist
Salesforce production enforcement for Multi-Factor Authentication (MFA) begins July 20, 2026, with a staggered 15-day window. Organizations at the beginning of this window will face immediate enforcement without prior warning. A brief pause occurred on July 1 due to an issue with security key prompts, but the enforcement schedule is now active. With limited time remaining, this guide outlines a day-by-day plan to ensure your organization is compliant.
Before Enforcement Begins:
- All users must have compliant MFA methods configured.
- Privileged users (e.g., System Administrators) require phishing-resistant MFA.
- SSO authentication signals must be validated.
- Integration accounts require review.
- Support staff must be prepared for user resets.
This plan assumes you're starting from scratch or need to finalize loose ends. It's structured to avoid a weekend of administrative work by front-loading critical tasks.
Day 1: Audit Your Setup and Communicate
Before making any configuration changes, understand your current environment.
Confirm Your Authentication Model
Determine how users log in to Salesforce:
- Salesforce-Native Login: Users authenticate directly with Salesforce credentials. MFA enrollment and enforcement are managed within Salesforce.
- Single Sign-On (SSO): Users authenticate via an external Identity Provider (IdP) like Okta, Microsoft Entra ID (Azure AD), Ping Identity, or ADFS. MFA must be enforced by the IdP, and Salesforce must receive proof of compliant authentication.
For SSO implementations, Salesforce relies on Authentication Methods References (AMR) and Authentication Context Class References (ACR) from the IdP. If these signals are not passed correctly, users may be prompted for Salesforce-native MFA or blocked from access. If you use SSO, collaborate with your identity team to ensure the IdP sends the appropriate phishing-resistant authentication signals.
Remediation Options for SSO:
- Configure your IdP to pass the required phishing-resistant authentication signals.
- Have affected privileged users register a Salesforce-native phishing-resistant method (e.g., passkey, FIDO2 security key) as a fallback.
Verifying your authentication model now will prevent significant troubleshooting later.
Identify System Administrator Accounts and Privileged Users
Identify all users with the System Administrator profile. Additionally, check for users granted elevated privileges through Permission Sets or Permission Set Groups, specifically those with permissions like Modify All Data, Manage Users, View All Data, Customize Application, or Author Apex. These users are mandated to use phishing-resistant MFA.
Use Data Loader or a similar tool to query the PermissionSetAssignment object to identify all active users with these permissions:
SELECT
Assignee.Id,
Assignee.Name,
Assignee.Email,
Assignee.Username,
Assignee.IsActive,
PermissionSet.Name,
PermissionSet.Profile.Name,
PermissionSet.PermissionsModifyAllData,
PermissionSet.PermissionsViewAllData,
PermissionSet.PermissionsCustomizeApplication,
PermissionSet.PermissionsAuthorApex
FROM
PermissionSetAssignment
WHERE
Assignee.IsActive = TRUE
AND (
PermissionSet.PermissionsModifyAllData = TRUE
OR PermissionSet.PermissionsViewAllData = TRUE
OR PermissionSet.PermissionsCustomizeApplication = TRUE
OR PermissionSet.PermissionsAuthorApex = TRUE
)
This query helps pinpoint active users holding affected permissions, irrespective of whether they are assigned via a Profile, Permission Set, or Permission Set Group.
Locate Users Needing MFA Method Registration
Run a standard identity verification methods report in Salesforce Setup to see which users still need to register an approved MFA method. Compile a list of all users and identify those who have not yet registered a verified authentication method.
Communicate Proactively:
- Send clear, concise communications explaining why MFA is being enforced (Salesforce org-wide, no opt-out).
- Specify the enforcement timeline for your organization.
- Provide step-by-step instructions for MFA enrollment.
- Establish a dedicated support channel (e.g., Slack, Teams, shared inbox) for user questions.
Your goal for Day 1 is to have a complete understanding of your org's MFA status and ensure no user is blindsided by lockout.
Resources:
- See How Your Users Verify Their Identity
- Which Salesforce Users Need Passkeys? A Quick Guide for Admins
- Multi-Factor Authentication for Salesforce
Day 2: Deploy MFA and Reinforce Communication
Today focuses on implementation and user enablement.
Register Backup Authentication Methods
Ensure every user registers at least one backup authentication method. Devices can be lost, reset, or damaged, leading to support overload if a user's only method is inaccessible. Prioritize users who may not have easy access to personal smartphones or dedicated devices (e.g., manufacturing, warehouse staff, contractors, shared workstations).
Deploy MFA Org-Wide
For most users, MFA deployment typically involves one of the following:
- Salesforce Authenticator: Salesforce's mobile app.
- Third-Party TOTP Applications: Google Authenticator, Microsoft Authenticator.
Note: Verification methods based on email, SMS, or voice calls do not satisfy Salesforce's MFA requirement and should not be used as a user's sole authentication method.
Enable Phishing-Resistant Methods in Setup
Configure and enable supported phishing-resistant MFA options for privileged users in Setup → Identity Verification. The following methods meet the phishing-resistant requirement:
- Built-in authenticators: Touch ID, Face ID, Windows Hello.
- FIDO2/WebAuthn security keys: YubiKey.
- Cloud-synced passkeys: Stored in compliant platforms like password managers.
Methods that do not qualify as phishing-resistant:
- Salesforce Authenticator push notifications.
- TOTP applications (Google Authenticator, Microsoft Authenticator, Authy).
- SMS-based verification codes.
- Email verification codes.
Ensure affected users understand the requirements and have ample time to register and test their devices.
Communicate Again
Send a final reminder to users regarding the enforcement timeline, enrollment instructions, and support channels. A well-timed reminder can significantly reduce support tickets.
Resources:
- Enabling Salesforce MFA: Top 5 Methods for Salesforce Admins
- Configure the MFA Verification Methods Available to Your Users for Salesforce Orgs
- Prepare for MFA Enforcement for All Employee Users
Day 3 (Friday): Address Non-Standard Logins and Edge Cases
This day is dedicated to handling integrations, middleware, and critical exceptions.
Integration Users, Middleware, and API Connections
Review all connected apps, external client applications, and integration user setups. Non-human logins that fail MFA will break business processes immediately. Address any fragile configurations now.
Request Exemptions (If Necessary)
For accounts like test automation or RPA tools that rely on the "Waive Multi-Factor Authentication for Exempt Users" permission, be aware this permission ceases to function automatically upon enforcement. Obtaining an exemption requires direct contact with Salesforce Support, which should not be attempted on the morning of enforcement. Initiate this process well in advance.
Validate SSO Signals
If using an IdP, follow up with your identity team to confirm that AMR and ACR signals are being passed correctly. These signals are crucial for Salesforce to verify upstream MFA compliance. Incorrect signals will result in users being blocked.
Key Takeaways
- Salesforce MFA enforcement is mandatory starting July 20, 2026, with a phased rollout.
- Understand your authentication model (Salesforce-native vs. SSO) to determine where MFA enforcement occurs.
- Privileged users require phishing-resistant MFA methods.
- Proactive user communication and training are critical to avoid support backlogs.
- Don't overlook integration accounts and API connections; they must also be compliant.
- Registering backup MFA methods for all users is essential.
- Verify SSO IdP configurations for correct AMR/ACR signal transmission.
- Exemptions for automated processes require direct Salesforce Support engagement and should be initiated early.
Leave a Comment