Loading
Feature Degradation | Agentforce Voice Read More
Sandboxes: Staging Environments for Customizing and Testing
Table of Contents
Filter by (0)Add
Select Filters

          No results
          No results
          Here are some search tips

          Check the spelling of your keywords.
          Use more general search terms.
          Select fewer filters to broaden your search.

            Search all of Salesforce Help
            Search all of Salesforce Help
            Multi-Factor Authentication

            You are here:

            1. Salesforce Help
            2. Docs
            3. Sandboxes: Staging Environments for Customizing and Testing

            Multi-Factor Authentication

            Sandbox environments aren’t contractually required to use multi-factor authentication (MFA). But we strongly recommend using MFA for sandboxes that include intellectual property, customer data, or other Salesforce production data. To develop a strategy for managing MFA in sandbox environments, review these considerations.

            Required Editions

            Available in: both Salesforce Classic and Lightning Experience
            Available in: Professional, Enterprise, Performance, Unlimited, and Database.com Editions
            User Permissions Needed
            To view a sandbox: View Setup and Configuration
            To create, refresh, activate, and delete a sandbox: Manage Dev Sandboxes (Developer or Developer Pro only) or Manage Sandboxes (all sandbox types)
            Note
            Note To learn more about the MFA requirement, see the Salesforce Multi-Factor Authentication FAQ.

            • When you create or refresh a sandbox, all Multi-Factor Authentication for User Interface Logins user permission assignments — whether set via profiles or permission sets — are copied over from your production org. However, none of the MFA verification methods that a user has registered for your production org are copied to your sandbox. As a result, all MFA-enabled users must register an MFA method the first time they log in to a new sandbox. And they must repeat this step each time the sandbox is refreshed.

            • If a user registers Salesforce Authenticator as an MFA verification method for their sandbox account, the connection to the account is invalidated each time the sandbox is refreshed. But the connection details aren’t automatically removed from Salesforce Authenticator. To avoid a long list of invalid connected accounts in Salesforce Authenticator, users should manually delete their old sandbox account from the app each time the sandbox is refreshed.

              Salesforce Authenticator assigns the same default name each time a user registers the app for their sandbox account. To avoid losing track of which sandbox connected accounts are active and which are invalid, delete the old sandbox account before logging in to the new version of the sandbox.

            • If you use SSO for access to your production org but want to use MFA instead of SSO for your sandboxes, do so by assigning the Multi-Factor Authentication for User Interface Logins user permission to users when you create or refresh a sandbox.

              But when you deploy customizations to your production org, take care that you don’t accidentally include the sandbox’s MFA configuration. To help keep MFA isolated to your sandbox:

              • Use a dedicated permission set to assign the Multi-Factor Authentication for User Interface Logins permission to sandbox users.

              • Give the permission set an obvious MFA-related name so it’s easy to distinguish it from other permission sets.

              • Create a checklist that reminds Salesforce admins to exclude the MFA permission set from each deployment.

            See Also

             
            Loading
            Salesforce Help | Article