Necessity of the "Multi-Factor Authentication for User Interface Logins" User Permission After Enabling Org-Wide MFA

Enabling Org-Wide MFA

To enable Multi-Factor Authentication (MFA) for the entire organization, follow these steps:

1. From Setup, in the Quick Find box, enter Identity Verification, and then select Identity Verification.

2. Select the Require multi-factor authentication (MFA) for all direct UI logins to your Salesforce org checkbox.

Note: This setting applies even if MFA was automatically enabled for your organization.

Permission Necessity

When org-wide MFA is enabled, MFA is enforced for all internal users in the organization, regardless of whether they have the Multi-Factor Authentication for User Interface Logins user permission assigned.

Therefore, it is not necessary to grant the Multi-Factor Authentication for User Interface Logins permission to users while org-wide MFA is enabled.

Considerations

• Phased Rollout: Assigning the Multi-Factor Authentication for User Interface Logins permission is a method used to roll out MFA to users in phases or pilot groups.

• External Users: To enable MFA for external Experience Cloud site users, you must assign the Multi-Factor Authentication for User Interface Logins permission to those specific users. For more details, refer to "Enable MFA for External Experience Cloud Site Users (or Specific Internal Users)" in Salesforce Help.

Related Information

• Enable MFA for Your Entire Salesforce Org
• Enable MFA for External Experience Cloud Site Users (or Specific Internal Users)
• Common multi-factor authentication (MFA) troubleshooting