How to Satisfy the MFA Requirement for the Partner Admin Shared Login Use Case

Contents

• Solution for Satisfying the MFA Requirement for the Partner Admin Use Case
• Who Should Implement the Partner Admin Use Case Solution
• How to Apply the Partner Admin Use Case Solution
• Deadline for Implementing the Partner Admin Use Case Solution
• Where to Get More Help
• Frequently Asked Questions

Solution for Satisfying the MFA Requirement for the Partner Admin Use Case

We strongly recommend that customers supply their Salesforce service provider with enough unique licenses for each individual service provider user, and then enable MFA for the customer org. This is the most secure approach.

If that’s not viable, however, customers who assign a limited number of licenses to their Salesforce service provider can satisfy the MFA requirement by meeting the following criteria:

• Ask their service provider to deploy either a privileged account management tool or an enterprise password management tool, which will function as an MFA verification method for shared credentials.
• The privileged account management or enterprise password management tool must support the use of MFA, and MFA must be enabled for the tool.
• The tool must provide the ability to restrict access permissions to authorized users only, via techniques such as role-based access control and least-privilege.
• All users of the tool must be personnel of the service provider. These users must be using a single license solely for the purpose of providing support or other services to their customer.
• The customer is responsible for their service provider’s use of customer-provided Salesforce licenses.

We strongly recommend that service providers deploy a privileged account management tool that supports the use of MFA. This option allows customers to trace a shared login back to the actual user who logged in, providing an audit trail and better security. If using a privileged account management tool isn’t viable, the service provider should explore using an enterprise password management tool that supports MFA.

Note: Salesforce doesn’t promote the use of any specific tool. Tools must meet the functional requirements listed above.

Salesforce reserves the right at any time to change the criteria for MFA and the foregoing use case or to discontinue this permitted use entirely.

See also:

• Salesforce MFA FAQ (for the contractual policy on MFA and the partner admin use case)

• Can a service provider's proprietary password management tool work as a solution to the partner admin use case?

Who Should Implement the Partner Admin Use Case Solution

A service provider's customer has the contractual obligation to ensure that all licenses for their org, including those provided to their service provider for partner admin services, comply with the MFA requirement.

Service providers or their customers must enable MFA for all internal users in the customer’s org, including individual service provider users who log in with customer-provided licenses. 

To ensure that individual service provider users who share a customer-provided license can satisfy MFA challenges when logging in to customer orgs, the service provider is responsible for setting up a privileged account management or enterprise password management tool. The service provider must also ensure that all shared credentials are stored in the tool and configured to work with the customer org’s MFA implementation.

In most cases, communication and guidance from Salesforce about the partner admin use case solution will be directed to Salesforce service providers, and service providers will need to engage their customers on how to satisfy the MFA requirement. If a customer contacted Salesforce and was granted an extension, Salesforce will communicate directly with that customer, as well as their service provider.
 

How to Apply the Partner Admin Use Case Solution

Here’s a high-level overview of how Salesforce service providers and their customers can implement the partner admin use case solution.
 

1. The service provider installs a privileged account management or enterprise password management tool.
2. The service provider adds all shared credentials to the privileged account management or enterprise password management tool.
3. The service provider or their customer enables MFA in the customer’s org.
4. Individual partner users log in to a shared account. When prompted by the customer’s org, they register the privileged account management or enterprise password management tool as an MFA verification method for the shared account.  
5. For all subsequent logins by individual service provider users, the privileged account management or enterprise password management tool automatically populates the shared account’s username and password, and then the user enters the one-time passcode generated by the tool so they can finish logging in.

The specific steps for applying the partner admin use case solution depend on the actual privileged account management or enterprise password management tool that the Salesforce service provider decides to use. For full guidance on setting up the tool and configuring the use of MFA, see the tool’s product documentation.
 

Deadline for Implementing the Partner Admin Use Case Solution

To comply with the MFA requirement when a customer isn’t able to provide a unique license for each individual service provider user, the Salesforce service provider should implement a privileged account management or enterprise password management tool, and the service provider or the customer should enable MFA for the customer’s org as soon as possible.

If a partner admin use case extension was granted, the solution discussed in this document must have been implemented (or a sufficient number of new licenses purchased) before the end of the extension. Per the terms of the extension, when Salesforce announces a solution for the partner admin use case, service providers and their customers will have one year to implement their respective parts of the solution or otherwise comply with the MFA requirement. Salesforce publicly announced the partner admin use case solution on October 13, 2022 and all partner admin use case extensions (including any extensions granted after the solution announcement date) expired on November 15, 2023.

At the end of the partner admin use case extension, no additional time or extensions will be granted and Salesforce auto-enablement milestones will apply.

Where to Get More Help

Check out the FAQs at the end of this document.

If they don’t answer your questions, service providers should use the following resources.

• For ISVForce or OEM partners: direct questions to the AppExchange & ISV Technical Enablement collaboration group.
• For consulting partners or managed services providers: direct questions to the Consulting Partner Questions & Answers collaboration group.

Frequently Asked Questions

How can Salesforce service providers and their customers tell if the partner admin use case applies to them?

If a service provider is sharing customer-provided licenses to conduct admin activities for the customer’s production org, the partner admin use case applies. These activities include implementation, testing, training, ongoing maintenance, and other types of support.

To know for sure, the customer should run an audit to see if their service provider is sharing a license with service provider or customer resources in their organization.
 

Can a service provider’s proprietary password management tool work as a solution to the partner admin use case?

If a customer’s service provider is using a proprietary password management tool, the tool must support the use of MFA for each individual service provider user logging in with a shared license. If MFA can’t be configured for the shared license, the proprietary password management tool doesn’t satisfy the MFA requirement.

A proprietary tool must also meet the other requirements specified in Solution for Satisfying the MFA Requirement for the Partner Admin Use Case.
 

Is Salesforce implementing or producing a product-based solution for the partner admin use case in the future?

No, Salesforce isn’t planning to implement a product-based solution to address MFA and the partner admin use case.
 

Can service providers and their customers opt out of using MFA for the partner admin use case?

No. Now that a solution is available for the partner admin use case, service providers and their customers must satisfy the MFA requirement via that solution. Or alternatively, the customer can provide their service provider with unique licenses for each individual service provider user. There isn’t any exception process or option to opt out of using MFA for the partner admin use case.
 

My customer’s org has a partner admin use case extension. When will the extension expire? What happens when the extension ends?

Per the terms of the extension, when Salesforce announces a solution for the partner admin use case, Salesforce service providers and their customers have one year to implement their respective parts of the partner admin use case solution or otherwise comply with the MFA requirement. We publicly announced the partner admin use case solution on October 13, 2022. All partner admin use case extensions expired on November 15, 2023.

Now that partner admin use case extensions have expired, affected service providers and customers are expected to have implemented the partner admin use case solution published in this document or otherwise comply with the MFA requirement through the purchase of additional licenses. All users and orgs covered by the extension are now subject to the MFA requirement. For full details about the MFA requirement that went into effect on February 1, 2022, see the MFA FAQ.
 

What happens if a service provider or customer doesn’t apply a solution for the partner admin use case?

If service providers or customers don’t apply an approved solution for the partner admin use case, the customer org will be out of compliance with the MFA contractual requirement. The customer org will be subject to auto-enablement milestones, when they occur.

If a partner admin use case extension was granted for a customer's org, the service provider and their customer had until November 15, 2023 to apply the approved solution before the customer org would be out of compliance with the MFA requirement.

To proceed with the solution, see Solution for Satisfying the MFA Requirement for the Partner Admin Use Case and Who Should Implement the Partner Admin Use Case Solution.
 

Can the partner admin use case solution be used to satisfy the MFA requirement for other license sharing practices?

No. The partner admin use case solution is strictly limited to situations where service providers are sharing customer-provided licenses to perform administrative activities in the customer’s org on their customer’s behalf. If a customer or service provider shares licenses or account logins for any reason other than the partner admin use case, they’re in direct violation of their Salesforce Main Services Agreement (MSA) and the solutions discussed in this document can’t be used to satisfy the MFA requirement for those practices.

For example, it’s not permissible for a customer to share their usernames and passwords with a service provider to give them access to the customer’s org for performing partner administration activities. Nor is it permissible for individual service provider users to share licenses in the service provider’s License Management Org of their own Partner Business Org to administer a customer’s org.

Service providers or customers who need additional logins should purchase additional licenses.