Security / Admins / News

Salesforce Pauses MFA Enforcement: What You Need to Know

By Mariel Domingo & Sasha Semjonova

Salesforce has officially paused multi-factor authentication (MFA) enforcement for all employee users until further notice. 

This has been confirmed through a notice dated July 1 on the MFA enforcement Help page that stated, “Salesforce has placed these changes on hold. Plans to resume will be announced soon.”  The notice, most recently dated July 2, now states that the rollout for the MFA for All Employee Users enforcement is resuming per a new schedule.

What’s Going On?

If you’ve been active in the Salesforce ecosystem lately, then you’ve probably heard of the latest security requirements they’ve been pushing for this year. The roadmap includes email verification, MFA updates, and step-up authentication on report exports. These changes even caused chaos for solo admins getting locked out of their own orgs, and it’s been the talk of the town on Reddit as well.

Well, on July 1, Salesforce hit pause on one of its biggest security mandates of the year. MFA for All Employee Users (the rule requiring every non-privileged internal user to complete multi-factor authentication on every login) has been placed on hold.

New Enforcement Schedule

Come July 2, the most recent update states that the new enforcement schedule is as follows:

  • Sandboxes: starting July 6, 2026 (staggered over a 2-day window).
  • Production: starting July 20, 2026 (staggered over a 15-day window).

This stalling effort comes after Salesforce announced it would be making MFA mandatory for all users, effective June 2026. Users were warned that if they were not enrolled in MFA by the deadline, they may need to do verification steps every now and then to stay in Salesforce, or worse, not be able to log in.

READ MORE: How to Prepare for Salesforce’s Mandatory MFA Changes in 2026

At the time of writing, the updated notice is currently live on the MFA enforcement Help page. Salesforce had previously specified that it “strongly recommends that all users adopt phishing-resistant MFA methods (security keys and built-in authenticators), to ensure the highest level of protection against identity-based threats.”

Salesforce told SF Ben that it “briefly delayed enforcement while we worked to resolve an issue in which users with existing security keys were incorrectly prompted to register new ones during the phishing-resistant MFA enrollment process.” This is why there is a new enforcement timeline.

The Initial Plan

Before the hold, this was shaping up to be one of the more consequential platform-level changes admins have dealt with in a while. Enforcement in Sandboxes began on June 22, and Production enforcement was set to begin July 20, 2026. 

Every internal user logging into Salesforce, whether directly via the UI or even through SSO, was going to be required to complete MFA, with no org-level opt-out. 

The Ongoing Security Dilemma 

The halt of Salesforce’s MFA enforcement adds to the company’s confusing recent security rollout, where the SaaS giant has enforced and then gone back on certain updates.

READ MORE: Why Salesforce’s Security Push Feels So Disjointed

When this resumes:

  • The org-wide MFA toggle would become permanent, and the setting “Require multi-factor authentication (MFA) for all direct UI logins to your Salesforce org” can no longer be deselected once enforced
  • “Waive Multi-Factor Authentication for Exempt Users” would stop working automatically. Test automation and RPA accounts relying on this permission would need to reach out to Salesforce Support for approval on the exemption.
  • Trial orgs converted to paid subscriptions would lose their 30-day MFA grace period.
  • SSO users would need verified AMR/ACR signals, proven by the identity provider

Paused, Not Cancelled

If you’ve already done (or been working on doing) the prep work, don’t worry because none of it was wasted. All of that still applies the moment enforcement resumes. This announcement is only meant to be treated as a delay, and does not mean you should stop the project. Admins who were racing toward the July 20 production deadline just got some breathing room. 

Salesforce also reiterated that PR-MFA and MFA are critical security controls, and they strongly encourage customers to proactively deploy them as soon as possible and well ahead of the enforcement dates.

Final Thoughts

As we get more information on this particular situation, we will update this blog post. Stay tuned.

The Authors

Mariel Domingo

Mariel is a Technical Content Writer at Salesforce Ben.

Sasha Semjonova

Sasha is the Salesforce Reporter at Salesforce Ben.

Leave a Reply