Loading
Salesforce now sends email only from verified domains. Read More
Identify Your Users and Manage Access
Table of Contents
Filter by (0)Add
Select Filters

          No results
          No results
          Here are some search tips

          Check the spelling of your keywords.
          Use more general search terms.
          Select fewer filters to broaden your search.

            Search all of Salesforce Help
            Search all of Salesforce Help
            Exclude Exempt Users from MFA for Salesforce Orgs

            You are here:

            1. Salesforce Help
            2. Docs
            3. Identify Your Users and Manage Access

            Exclude Exempt Users from MFA for Salesforce Orgs

            Some use cases are exempt from the multi-factor authentication (MFA) requirement. When you or Salesforce enables MFA for your users, many of these use cases — including integration user access via the API — are automatically excluded. But there are a few cases that customers must exclude on their own. If any of these situations apply to your environment, use the Waive Multi-Factor Authentication for Exempt Users user permission.

            Required Editions

            Available in: both Salesforce Classic and Lightning Experience
            Available in: all editions
            User Permissions Needed
            To edit profiles and permission sets: Manage Profiles and Permission Sets
            Important
            Important

            As a safeguard against unauthorized account access, customers are contractually required to use MFA when logging in — either directly with a username and password or via single sign-on (SSO). To help users satisfy this requirement, MFA is automatically enabled for direct logins to production orgs. For full details about the MFA requirement, see the Salesforce Multi-Factor Authentication FAQ.

            The option to exclude a user from MFA is provided solely for use cases that are exempt from the MFA requirement, as documented in the Salesforce Trust and Compliance Documentation and the Salesforce Multi-Factor Authentication FAQ. Don’t assign this permission to internal users who log in to your Salesforce org’s user interface, including admins, privileged users, standard users, developers, and users such as partners and third-party agencies that are authorized to act on your company's behalf.

            Exclude these MFA-exempt use cases on your own.

            • User accounts for test automation tools, such as Selenium, Cucumber, or Appium

            • User accounts for Robotic Process Automation (RPA) systems

            • Users assigned an Employee Community license (that is, a Salesforce Platform license paired with either a Company Community for Lightning Platform permission set license or a legacy Company Community license)

            • Logins using a certificate service that requires a PIN before users can select or receive a user certificate (for example, when logging in with a PIV or CAC card)

            • Logins using a combination of a trusted device and a trusted network

            You can assign the Waive Multi-Factor Authentication for Exempt Users user permission via a permission set that you apply to exempt users. See Create Permission Sets, Enable User Permissions in Permission Sets, and Manage Permission Set Assignments.

            If you have custom profiles that are limited to exempt users, you can assign the user permission on the profile. See Profiles for guidance.

            Considerations:

            This permission overrides these MFA enablement options:

            • Multi-Factor Authentication for User Interface Logins user permission

            • Require multi-factor authentication (MFA) for all direct UI logins to your Salesforce org setting

            See Also

             
            Loading
            Salesforce Help | Article