Action Required: Phishing-Resistant MFA Is Now Mandatory for Salesforce Privileged Users
Salesforce is enforcing stronger login security for privileged users, and the deadlines are no longer theoretical. If your organization has System Administrators or any users with elevated permissions, action is needed now, not on your next maintenance window.
The enforcement timeline
Sandbox instances: Enforcement began July 10, 2026, rolling out instance by instance.
Production instances: Enforcement begins July 20, 2026, staggered through late July.
If you haven’t already confirmed your privileged users are enrolled in a qualifying MFA method, this is the week to do it.
Who’s affected
This requirement doesn’t apply to every user in your org, but it applies to more people than "System Administrator” alone suggests:
- System Administrator profile users — the most obvious group, but not the only one.
- Users with Modify All Data, View All Data, Customize Application, or Author Apex permissions. If you’ve granted any of these permissions outside the System Administrator profile (a common pattern for build teams, integration owners, or senior admins), those users are in scope too.
- SSO users. If your org authenticates via single sign-on, your Identity Provider must send phishing-resistant signals during the login flow. If it doesn’t, affected users will be prompted to enroll in a qualifying method directly.
It’s worth a quick audit of permission sets and profiles rather than assuming this only touches your admin team.
What counts as phishing-resistant MFA
Salesforce is raising the bar specifically because some widely used MFA methods can be phished or intercepted. The methods that meet the new requirement are:
- Passkeys
- Touch ID / Face ID
- Windows Hello
- YubiKey or other hardware security keys
What doesn’t qualify: authenticator apps, SMS codes, and email one-time passcodes no longer meet the phishing-resistant requirement for privileged users. If your admins are currently relying on any of these, they’ll need to enroll in a qualifying method before enforcement takes effect for their instance.
A change to the exemption process
One detail worth flagging separately: the "Waive MFA for Exempt Users" permission will no longer automatically exempt users once enforcement begins. This has been a common way for automation and integration users to bypass MFA, and that automatic bypass goes away.
If you have integration or automation users who genuinely need an exemption, you’ll need to open a Salesforce Support case to request it. This isn’t something you can configure your way around at the permission-set level anymore, so it’s worth identifying which of your integration users fall into this category now, before enforcement catches you off guard.
What to do this week
- Identify every user with the System Administrator profile or with Modify All Data, View All Data, Customize Application, or Author Apex permissions.
- Confirm each of those users is enrolled in a qualifying phishing-resistant MFA method.
- If you use SSO, confirm with your Identity Provider that phishing-resistant signals are being sent.
- Flag any automation or integration users that will need a Support-case exemption, and open those cases before enforcement hits your production instance.
If you want help auditing who’s actually in scope or getting your admins enrolled before the July 20 production deadline, reach out — this is exactly the kind of deadline-driven cleanup we help clients get ahead of.
Ready to envision more?
Let's talk about your systems, your goals, and where the gaps are.
Schedule a free consultation