From June 2026, Salesforce will introduce a new wave of security controls designed to strengthen protection in response to the growing number of attacks targeting Salesforce environments and their customers.
Failure to prepare in advance could negatively impact your users. To minimize disruption and stay ahead, it’s important to take action early and ensure your organization is ready.
Disclaimer
This guide is intended to help Salesforce Administrators comply with the upcoming security requirements. As part of its preparation, certain assumptions have been made regarding how Salesforce will enforce these changes. The guide will be updated as further information becomes available.
All steps outlined assume standard use of the relevant features. If your organization has implemented customizations in these areas, additional preparation may be required.
Require Multi-Factor Authentication (MFA)
What Does This Impact?
From June 2026, Salesforce will require Multi-Factor Authentication (MFA) across both Sandbox and Production environments. This applies to all internal users, including those with a Salesforce or Salesforce Platform licence.
While MFA is already a requirement for Production orgs, it is not currently enforced at a technical level. However, failure to implement MFA constitutes a breach of contractual obligations, and administrators may receive notifications reminding them of this requirement.
For users logging in via Single Sign-On (SSO), if the SSO provider does not enforce a sufficiently strong authentication method (for example, biometric verification or a physical security key), additional MFA may be required.
At present, it is unclear whether the new requirement will be enforced in the same way.
This change will impact all internal users accessing both Sandbox and Production environments, so it is important to ensure MFA is fully implemented ahead of the deadline.
How Can I Prepare in a Sandbox?
In order to get ahead of this requirement, you can enable MFA in your Sandbox environments ahead of time. This will also give users time to enrol in methods ahead of the enforcement date.
To enable this, navigate to [MYDOMAIN]/lightning/setup/IdentityVerification/home
(eg. resourceful-otter-64nvnn-dev-ed.trailblaze.my.salesforce.com/lightning/setup/IdentityVerification/home).
From this page, enable “Require multi-factor authentication (MFA) for all direct UI logins to your Salesforce org” to ensure MFA for all human logins to that environment.
For the best user experience, also enable Show all verification method registration options instead of starting with built-in authenticators, so that users see a list of all available methods rather than the system defaulting to built-in authenticators.
To monitor which users are enrolled for MFA, you can install the Multi-Factor Authentication Dashboard from Salesforce Labs for Admins Only via the below URL:
[MYDOMAIN]/packagingSetupUI/ipLanding.app?apvId=04to00000004DTQAA2
(eg. resourceful-otter-64nvnn-dev-ed.trailblaze.my.salesforce.com/packagingSetupUI/ipLanding.app?apvId=04to00000004DTQAA2).
While this package provides a good baseline, you will likely need to customize these reports. These reports will show who is enabled for MFA, not who isn’t.
How Can I Prepare in Production?
MFA is likely already enforced in your Production environment. If not, you can follow the same steps to enforce this and work with your users to enrol a method.
Ensure All System Administrator Users Adopt Phishing-Resistant MFA for Login
What Does This Impact?
This update is currently expected to impact users assigned the System Administrator profile, although Salesforce has not yet formally confirmed this in the enforcement notice.
System Administrators will be required to enrol in a phishing-resistant MFA method in order to comply with the new requirement.
Supported methods include:
- Built-in authenticators (e.g. Windows Hello or Touch ID).
- Physical security keys (e.g. YubiKey).
Salesforce has not yet confirmed whether this requirement will be enforced technically or managed contractually, as is currently the case with MFA in Production orgs.
System admins will need access to a device that supports one of these authentication methods, or organizations may need to procure physical security keys.
How Can I Prepare in a Sandbox?
Built-in authenticators and Physical Security Devices are not enabled by default as MFA methods.
In order to enable these methods ahead of time, navigate to [MYDOMAIN]/lightning/setup/IdentityVerification/home
(e.g. resourceful-otter-64nvnn-dev-ed.trailblaze.my.salesforce.com/lightning/setup/IdentityVerification/home).
From this page, enable Let users verify their identity with a built-in authenticator such as Touch ID or Windows Hello, and Let users verify their identity with a physical security key (U2F or WebAuthn).
Enabling the feature doesn’t ensure compliance, as users still need to enrol in a supported method. You can monitor enforcement by using the Multi-Factor Authentication Dashboard from Salesforce Labs, which is mentioned above.
How Can I Prepare in Production?
To enable this in a Production environment, enable the same settings as in your Sandboxes. Enabling these methods is expected to have no user impact aside from allowing users to enrol in these methods going forward.
You can monitor compliance using the Multi-Factor Authentication Dashboard from Salesforce Labs.
Restrict Login IP Addresses in Profiles
What Does This Impact?
Based on the current information available, this change will only impact you if any of your profiles have Login IP Ranges configured.
At present, Salesforce evaluates Login IP Ranges at the point of user login. If the user’s IP address falls within the permitted range, access is granted. If not, access is denied.
However, if a user’s IP address changes during an active session, Salesforce does not currently re-evaluate whether the session remains within the allowed ranges. Going forward, Salesforce will introduce the ability to enforce this check during an active session when a specific setting is enabled.
At this stage, it is unclear whether Salesforce will enable this setting by default across all orgs, or whether System Administrators will need to manually enable it within their environments.
How Can I Prepare in a Sandbox?
Within Salesforce Setup, under Session Settings, you’ll find Enforce login IP ranges on every request.
To enable this ahead of enforcement, simply select this option and click Save at the bottom of the page.
Once enabled, you can test the behavior by simulating a user whose profile has Login IP Ranges and changing their IP address during an active session. This will confirm that access is handled as expected (or not). For the sake of completeness, you can test this against a range of users and SSO (if in use) to ensure existing processes remain unimpacted.
How Can I Prepare in Production?
Once you have tested this in your sandboxes, complete the same steps to enable this in Production.
Enable a Transaction Security Policy (TSP) That Restricts Large Data Exports
What Does This Impact?
If you are using Salesforce Shield or Event Monitoring, this update applies to you. If not, this update is expected to have no impact.
A Transaction Security Policy (TSP) will be introduced when a user exports a report if you do not have one set up already. This means Users will be prompted for their MFA method before they can export data from reports going forward.
How Can I Prepare in Sandbox and Production Environments?
You can either set up your own TSP if you do not have this already, or you can simply wait for Salesforce to auto-add this for you.
The current notice from Salesforce does not state whether this will be added to Sandboxes, Production orgs, or both.
Avoid Connecting from Anonymizing Proxies and High-Risk IP Addresses
What Does This Impact?
Salesforce already monitors and blocks high-risk connections such as those from anonymizing VPNs or other high-risk IP Addresses.
How Can I Prepare in a Sandbox and Production?
Salesforce will continue to monitor and block these connections, although they do not state whether this applies to both Sandbox and Production environments.
Summary
Against a threat landscape that is constantly evolving and an increase in successful attacks against Salesforce, I doubt this will be the last of fast-tracked security updates that Salesforce pushes out over the next few months.
As more information about these updates becomes available, we will publish updates so you can prepare ahead of the current June enforcement date from Salesforce.
Other Resources
- Prepare for New Security Control Requirements in June 2026 (Salesforce Help)
- Multi-Factor Authentication for Salesforce Orgs (Salesforce Help)
- Enable Built-In Authenticators for Identity Verification in Salesforce Orgs (Salesforce Help)
- Enable Security Keys for Identity Verification in Salesforce Orgs (Salesforce Help)
- ReportEvent Policies (Salesforce Help)
