Services Revenue Cloud & CPQ Packages How We Work Blog Get a Free Consultation
Home Blog Security
Security · Admin

Salesforce MFA Enforcement Explained: What Changed and What You Need to Do

Salesforce paused its own security mandate then, one day later, it wasn't really paused anymore. Just rescheduled. Here's what that actually means for admins.

Salesforce MFA enforcement explained  what changed and what you need to do

On July 1, Salesforce hit pause on one of the biggest platform-level changes admins have dealt with all year. Then, one day later, it wasn't really paused anymore just rescheduled.

The timeline, in plain terms

Salesforce had been rolling out mandatory MFA for all employee users every internal login, direct or via SSO, with no org-level opt-out. Sandbox enforcement started June 22. Production was set to begin July 20.

Then on July 1, Salesforce quietly placed the whole thing on hold. The notice on its MFA enforcement Help page said enforcement changes were paused, with plans to resume "announced soon." A day later, on July 2, that notice was updated again this time with a new staggered schedule, starting with sandboxes on July 6.

The reason, according to Salesforce: a bug in the phishing-resistant MFA enrollment flow was incorrectly prompting users who already had security keys registered to re-enroll new ones. So: not a policy reversal. A technical fix, followed by a restart.

Why this matters now

If you're an admin, this is easy to misread as "we're off the hook." You're not. None of the prep work you've done is wasted. The requirements haven't changed only the clock has been reset and restarted on a new schedule.

There are actually two separate MFA requirements running on close but distinct timelines, and a lot of the confusion in the ecosystem comes from treating them as one thing:

The "Waive Multi-Factor Authentication for Exempt Users" permission is also going away as an automatic exemption. Test automation and RPA accounts that relied on it will need Salesforce Support approval going forward.

Salesforce MFA enforcement admin checklist
Treat this like a flight delay, not a cancellation the requirements didn't change, only the clock.

Vedsphere's take

The instinct to relax when you hear "paused" is understandable. It's also the wrong instinct here. Treat this the way you'd treat a flight delay, not a flight cancellation. The plane is still leaving you just have a little more time at the gate.

If your org hasn't audited who holds privileged permissions, hasn't confirmed SSO is passing the right authentication signals, or hasn't gotten every admin onto a phishing-resistant method this pause is a gift. Use it. It won't repeat indefinitely.

What to do this week

1

Audit privileged users

Pull a list of every user with the System Administrator profile or Modify All Data / View All Data / Customize Application / Author Apex permissions.

2

Confirm phishing-resistant methods

Make sure those users have a phishing-resistant method registered a security key or built-in authenticator, not just an authenticator app.

3

Check your SSO signals

If you use SSO, confirm your identity provider is sending the AMR or ACR signals Salesforce will actually recognize.

4

Review waiver usage

Find every account leaning on the exempt-users waiver permission and plan for Support approval before it's withdrawn.

Not sure if your org would pass an audit today?

Send us your current MFA setup and admin permission list. We'll give you a straight read on where the gaps are before enforcement resumes no deck, no pitch, just the honest answer.

Book a 20-min readiness check

Sourcing note: enforcement dates have shifted more than once this year and Salesforce has not committed to a final production date at the time of writing. Confirm the current schedule directly on Salesforce's MFA enforcement Help page before communicating internal deadlines to your team.

MFA Security Admin Compliance