If you’re a Salesforce Admin, chances are you may have heard the term Zero Trust mentioned in security conversations, architecture reviews, or compliance discussions. It’s one of those concepts that sounds important but can feel abstract when you are trying to apply it to day-to-day platform work.
The reality is that Zero Trust is becoming essential in modern Salesforce environments, especially as organisations rely more heavily on cloud platforms, remote working, and third-party integrations. Before we get into the practical steps, it is worth grounding ourselves in where most teams currently stand.
Why Zero Trust Feels Out of Reach for Many Teams
Recent findings in the SF Ben 2026 Salesforce Admin Survey show a clear gap in understanding and application.
Only 16.7% of respondents report being very familiar with Zero Trust, while 30.8% are somewhat familiar. A further 25.5% are aware of the concept but have not applied it, and 27% are not familiar at all.
That means more than half of teams are either unsure how to apply Zero Trust or have not started at all. For Salesforce Admins, this presents both a challenge and an opportunity.
The challenge is that security expectations are rising. The opportunity is that Salesforce is actually a strong platform for implementing Zero Trust principles in a structured and practical way.
What Zero Trust Actually Means in Salesforce
Zero Trust is not a product or feature. It is a security mindset. It shifts security thinking away from “inside the network is safe” to “nothing is trusted by default”.
Instead of assuming a user or system is safe because they can log in, Zero Trust assumes every request could be risky until proven otherwise. Each access request should be verified based on identity, device, and context.
A useful way to think about it in Salesforce is: How do we know this request is truly in service of our business, and not coming from a bad actor?
For Salesforce Admins and Architects, this means challenging long-standing assumptions such as:
- A logged-in user should not automatically have broad access
- A trusted integration should still be validated regularly
- A familiar device does not always mean a secure device
- Access should adapt based on context, not remain static
In practice, adopting Zero Trust helps you reduce risk, improve compliance, limit your attack surface, and gain clearer visibility into how data is accessed and used inside the Salesforce Platform.
Where to Start as a Salesforce Admin
You do not need to redesign your entire architecture to begin with Zero Trust! The key is to start with the fundamentals and build gradually.
Here are 5 practical ways to apply Zero Trust principles in Salesforce today.
1. Use Multi-Factor Authentication
Multi-Factor Authentication (MFA) is one of the simplest and most effective Zero Trust controls available. It ensures that even if credentials are compromised, access is not automatically granted.
In a Zero Trust model, MFA is not optional; it is a baseline requirement for identity verification.
Within Salesforce, MFA can be enforced across all users to ensure consistent authentication at login. For administrators, this should be one of the first security standards configured and applied across all environments.
Salesforce is also strengthening its MFA requirements: from June 2026 in sandboxes and July 2026 in production, MFA will be mandatory for all users, with phishing-resistant MFA required for users with elevated permissions such as administrators.
2. Enforce Least Privilege Access
Least-privilege access (often referred to as the Principle of Least Privilege) is one of the most important Zero Trust principles, and one of the easiest to get wrong over time.
It means users should only have the minimum level of access required to do their job, nothing more. In Salesforce, this is implemented through:
- Roles and role hierarchies
- Profiles, permission sets, and permission set groups
- Using a permission set-led permissions model
- Object and field-level security
- Organisation-wide defaults
- Sharing rules and manual sharing
The key is to avoid “permission creep”, where users gradually accumulate access they no longer need.
A useful admin habit is to regularly ask: Does this user still need this level of access today, or did they just inherit it from an older role or project?
3. Verify Devices and Session Context
Zero Trust not only looks at who the user is, but also how and where they are connecting. Device trust and session context are becoming increasingly important in cloud-first environments, especially with remote and hybrid working models.
In Salesforce, this can involve:
- Restricting access based on IP ranges or login hours
- Enforce login IP ranges on every request is not mandatory, but it is a best practice
- Using session security settings to control session duration
- Applying login flows for additional validation steps
- Reviewing connected device patterns for anomalies
The goal is not to block users unnecessarily, but to ensure that access patterns match expected behaviour.
4. Monitor User Behaviour and Data Activity
One of the most powerful aspects of Zero Trust is continuous verification. Access is not a one-time decision at login. It is an ongoing evaluation of behaviour. For Salesforce Admins, this means monitoring:
- Unusual login locations or times
- Large data exports
- Sudden changes in record access patterns
- Repeated failed login attempts
- Unusual report or API usage spikes
Tools such as Salesforce Shield and Event Monitoring give admins visibility into platform activity that would otherwise be difficult to track. Other ways to monitor activity in your Salesforce org include:
- Login History: Review user login attempts, including successful and failed logins, IP addresses, login times, and authentication methods.
- SOQL: You can run a SOQL query against the LoginHistory object to retrieve and analyse login activity programmatically, which is useful for reporting or automation.
- Setup Audit Trail: Track configuration changes made in your org, including who made changes in Setup, what was changed, and when it occurred. This is especially useful for investigating changes that would otherwise be difficult to trace.
This is where Zero Trust becomes operational rather than theoretical. You are not just setting permissions; you are actively watching how those permissions are used.
5. Control API and Integration Access
Modern Salesforce orgs are rarely standalone; they are connected to marketing platforms, ERP systems, data warehouses, and custom applications.
Each integration is effectively another identity accessing your data. Zero Trust requires you to treat these connections with the same scrutiny as human users.
For admins, this includes:
- Reviewing connected apps and OAuth scopes
- Limiting API access to only required objects and fields
- Rotating credentials and reviewing integration users
- Monitoring API usage for anomalies
- Ensuring integrations are tied to named integration users rather than shared accounts
Salesforce has moved away from Connected Apps to the newer External Client Apps. External Client Apps are designed to replace Connected Apps for simpler, more scalable integration management. They offer stronger, more consistent security controls and better alignment with OAuth and enterprise identity standards. Moving forward, be sure to use External Client Apps instead of Connected Apps.
The key mindset shift is this: an API call is still a request for data, and it should be verified just like a user login.
Final Thoughts
Zero Trust can sound like a large architectural shift, but in Salesforce, it is often a series of small, practical improvements.
If you are just starting out, focus on these three areas first:
- Enforce MFA consistently across all users – Salesforce requires this across sandboxes and production instances on a rolling basis from June 2026.
- Review and tighten user permissions using Least Privilege principles.
- Turn on monitoring to understand how data is being accessed.
From there, expand into device controls, session management, and integration governance. The important thing to remember is that Zero Trust is not a destination. It is an ongoing approach to how you think about security inside your Salesforce org.
For Salesforce Admins, this mindset is powerful. It moves you from reacting to security issues to proactively designing systems that assume risk is always present and continuously validated.
