On July 1, Salesforce hit pause on one of the biggest platform-level changes admins have dealt with all year. Then, one day later, it wasn't really paused anymore just rescheduled.
The timeline, in plain terms
Salesforce had been rolling out mandatory MFA for all employee users every internal login, direct or via SSO, with no org-level opt-out. Sandbox enforcement started June 22. Production was set to begin July 20.
Then on July 1, Salesforce quietly placed the whole thing on hold. The notice on its MFA enforcement Help page said enforcement changes were paused, with plans to resume "announced soon." A day later, on July 2, that notice was updated again this time with a new staggered schedule, starting with sandboxes on July 6.
The reason, according to Salesforce: a bug in the phishing-resistant MFA enrollment flow was incorrectly prompting users who already had security keys registered to re-enroll new ones. So: not a policy reversal. A technical fix, followed by a restart.
Why this matters now
If you're an admin, this is easy to misread as "we're off the hook." You're not. None of the prep work you've done is wasted. The requirements haven't changed only the clock has been reset and restarted on a new schedule.
There are actually two separate MFA requirements running on close but distinct timelines, and a lot of the confusion in the ecosystem comes from treating them as one thing:
- Standard MFA for all employee users sandboxes, then production, with no opt-out once enforced.
- Phishing-resistant MFA for privileged users System Administrator profile, or anyone with Modify All Data, View All Data, Customize Application, or Author Apex. A stricter bar: TOTP apps and push notifications don't satisfy this tier. Only security keys, built-in authenticators, or certificate-based auth qualify.
The "Waive Multi-Factor Authentication for Exempt Users" permission is also going away as an automatic exemption. Test automation and RPA accounts that relied on it will need Salesforce Support approval going forward.

Vedsphere's take
The instinct to relax when you hear "paused" is understandable. It's also the wrong instinct here. Treat this the way you'd treat a flight delay, not a flight cancellation. The plane is still leaving you just have a little more time at the gate.
If your org hasn't audited who holds privileged permissions, hasn't confirmed SSO is passing the right authentication signals, or hasn't gotten every admin onto a phishing-resistant method this pause is a gift. Use it. It won't repeat indefinitely.
What to do this week
Audit privileged users
Pull a list of every user with the System Administrator profile or Modify All Data / View All Data / Customize Application / Author Apex permissions.
Confirm phishing-resistant methods
Make sure those users have a phishing-resistant method registered a security key or built-in authenticator, not just an authenticator app.
Check your SSO signals
If you use SSO, confirm your identity provider is sending the AMR or ACR signals Salesforce will actually recognize.
Review waiver usage
Find every account leaning on the exempt-users waiver permission and plan for Support approval before it's withdrawn.
Not sure if your org would pass an audit today?
Send us your current MFA setup and admin permission list. We'll give you a straight read on where the gaps are before enforcement resumes no deck, no pitch, just the honest answer.
Sourcing note: enforcement dates have shifted more than once this year and Salesforce has not committed to a final production date at the time of writing. Confirm the current schedule directly on Salesforce's MFA enforcement Help page before communicating internal deadlines to your team.