Security / Admins / News

Salesforce Halts MFA Enforcement Until Further Notice

By Mariel Domingo & Sasha Semjonova

Salesforce has officially halted multi-factor authentication (MFA) enforcement for all employee users until further notice. 

This has been confirmed through a notice on the MFA enforcement Help page that states, “Salesforce has placed these changes on hold. Plans to resume will be announced soon.” 

No word yet on why, and no firm date for when enforcement resumes. What does this update mean for you? Let’s dive in.

What’s Going On?

If you’ve been active in the Salesforce ecosystem lately, then you’ve probably heard of the latest security requirements they’ve been pushing for this year. The roadmap includes email verification, MFA updates, and step-up authentication on report exports. These changes even caused chaos for solo admins getting locked out of their own orgs, and it’s been the talk of the town on Reddit as well.

Well, the latest update comes fresh on the first day of July: Salesforce just hit pause on one of its biggest security mandates of the year. MFA for All Employee Users (the rule requiring every non-privileged internal user to complete multi-factor authentication on every login) has been placed on hold.

This stalling effort comes after Salesforce announced it would be making MFA mandatory for all users, effective June 2026. Users were warned that if they were not enrolled in MFA by the deadline, they may need to do verification steps every now and then to stay in Salesforce, or worse, not be able to log in.

READ MORE: How to Prepare for Salesforce’s Mandatory MFA Changes in 2026

At the time of writing, the updated notice is currently live on the MFA enforcement Help page. Salesforce had previously specified that it “strongly recommends that all users adopt phishing-resistant MFA methods (security keys and built-in authenticators), to ensure the highest level of protection against identity-based threats.”

It is currently unclear why these changes have been halted or when Salesforce plans to resume them. SF Ben has reached out to Salesforce for comment. 

The Initial Plan

Before the hold, this was shaping up to be one of the more consequential platform-level changes admins have dealt with in a while. Enforcement in Sandboxes began on June 22, and Production enforcement was set to begin July 20, 2026. 

Every internal user logging into Salesforce, whether directly via the UI or even through SSO, was going to be required to complete MFA, with no org-level opt-out. The only date left, which is the rollout for production, is now explicitly listed in the article as “on hold until further notice”, alongside the sandbox rollout that had already started.

The Ongoing Security Dilemma 

The halt of Salesforce’s MFA enforcement adds to the company’s confusing recent security rollout, where the SaaS giant has enforced and then gone back on certain updates.

READ MORE: Why Salesforce’s Security Push Feels So Disjointed

If/When this resumes:

  • The org-wide MFA toggle would become permanent, and the setting “Require multi-factor authentication (MFA) for all direct UI logins to your Salesforce org” can no longer be deselected once enforced
  • “Waive Multi-Factor Authentication for Exempt Users” would stop working automatically. Test automation and RPA accounts relying on this permission would need to reach out to Salesforce Support for approval on the exemption.
  • Trial orgs converted to paid subscriptions would lose their 30-day MFA grace period.
  • SSO users would need verified AMR/ACR signals, proven by the identity provider

Paused, Not Cancelled

If you’ve already done (or been working on doing) the prep work, don’t worry because none of it was wasted. All of that still applies the moment enforcement resumes. This announcement is only meant to be treated as a delay, and does not mean you should stop the project.

A public rollback of a mandatory and dated security enforcement (especially one that had already started rolling out in sandboxes) isn’t something that happens often. This hold raises questions on if there was a technical issue with the rollout, or maybe spike in support tickets or lockouts. It might be something else entirely, but Salesforce is yet to confirm or provide more info.

Admins who were racing toward the July 20 production deadline just got some breathing room, but “plans to resume will be announced soon” is pretty vague on its own. Standing down entirely feels like the wrong call, so just keep moving on your MFA readiness in the meantime – you’ll thank yourself when the next date drops.

Final Thoughts

As we get more information on this particular situation, we will update this blog post. Stay tuned.

The Authors

Mariel Domingo

Mariel is a Technical Content Writer at Salesforce Ben.

Sasha Semjonova

Sasha is the Salesforce Reporter at Salesforce Ben.

Leave a Reply