Enable MFA for Human Logins to Integration User Accounts (Salesforce Orgs)

Note For full details about the contractual requirement to use MFA, see the Salesforce Multi-Factor Authentication FAQ.

Salesforce automatically enables the Require multi-factor authentication (MFA) for all direct UI logins to your Salesforce org setting in production orgs. If an org is used solely for integration purposes, rest assured that this setting doesn’t have any impact on your org’s operations. It’s safe and recommended to leave this setting turned on as an easy way to ensure human logins to integration accounts are covered by MFA.

If the MFA org-wide setting is disabled, you can turn on MFA for integration users by assigning the Multi-Factor Authentication for User Interface Logins permission. See Enable MFA for External Experience Cloud Site Users (or Specific Internal Users). This permission applies only if someone logs in to the integration account through the user interface. REST or SOAP API calls aren’t affected.

After MFA is enabled for an integration account, the first person who logs in to the account is prompted to register an MFA verification method. It’s necessary to complete this step. If additional admins need access to the same account, they can generate a temporary verification code before logging in.

Considerations:

• To avoid breaking your integrations, don’t set Session Security Level Required at Login on the user’s profile to High Assurance.

• It’s a best practice to apply the Api Only User permission to profiles for dedicated integration users. This permission doesn’t effect whether MFA is required for integration users. When MFA is enabled, it applies only to human logins, not logins via the API.