Loading

Prepare for New Security Control Requirements in June 2026

Fecha de publicación: Mar 26, 2026
Descripción

What’s Changing

Salesforce is strengthening security by enforcing more stringent controls across user identity, data protection, and access controls. Details surrounding the specific controls being rolled out will be published once those plans are finalized. Take action now to ensure a seamless transition and maintain your organization's security posture.

When Does This Change Take Effect

Beginning June 2026, Salesforce plans to require the implementation of additional security controls and settings.

Who Needs To Take Action

Salesforce Platform Admins

Solución

How to Prepare

  1. Require Multi-Factor Authentication (MFA): Ensure MFA is required in sandbox and production orgs, for all employee license users, either through Salesforce or through an Single Sign-On (SSO) provider. Even with MFA enabled for login, certain sensitive actions after login will trigger step-up authentication. For help with implementing MFA, see Multi-Factor Authentication for Salesforce Orgs.

  2. Ensure all System Administrator users adopt Phishing-Resistant MFA for login: Phishing-Resistant MFA requires built-in authenticators, security keys, or equivalent. To make phishing-resistant MFA options available to users, enable built-in authenticators or security keys.

  3. Restrict Login IP Addresses in Profiles: Specifying allowed IP address ranges on profiles denies a user access if they attempt to sign in from an unauthorized IP address. Note that by default, this check applies at login time only and users are not automatically logged out mid-session if their IP address changes. To enforce IP range validation on every request (not just at login), "Enforce login IP ranges on every request" must be enabled in Session Settings. Only when this setting is active will users be logged out mid-session due to an IP address change. This additional protection is particularly important  if your org has not implemented Phishing-Resistant MFA. See Restrict Login IP Addresses.

  4. Enable a Transaction Security Policy (TSP) that Restricts Large Data Exports: It has been previously recommended that Salesforce Shield and Event Monitoring customers have a TSP on ReportEvent that triggers step-up authentication when report data is downloaded. In June 2026, if an org with Shield or Event Monitoring does not already have one of these TSPs in place, one will be added and enabled automatically. See Transaction Security.

  5. Avoid Connecting from Anonymizing Proxies and High-Risk IP Addresses: Ensure your users are not connecting to Salesforce via anonymizing VPNs or from other high-risk IP addresses. Salesforce monitors for and blocks high-risk connections and will continue to do so.

 

Change Log

Date

Change

March 26, 2026

Initial publication

 

Número del artículo de conocimiento

005317465

 
Cargando
Salesforce Help | Article