#Security168 discussing

Data Security, Salesforce Admin 

Given that this Change Takes Effect in -  Sandboxes: Starting June 22, 2026, staggered over approximately 7 days  Production: Starting July 1, 2026, staggered over approximately 30 days    We are in the process of identifying the best way to implement this for our org. We use SSO to login to salesforce alongwith Microsoft Entra ID. However, we have been advised by SF Support that this alone does not qualify as Phishing Resistant MFA and have been suggested to use  Windows Hello for laptop/desktop admin logins. However, this may not work for SF Mobile App logins. There is a lot of uncertainity in this topic. We were advised to enable Setup → Identity Verification → Built-in Authenticators    will make Built-in Authenticators available for both desktop/laptop and supported mobile login experiences.    For laptops/desktops:    > Windows Hello for Business is fully supported and compatible with Salesforce Built-in Authenticators.  > Your IT team’s Windows Hello setup for admin users aligns well with the phishing-resistant MFA requirement.    For mobile devices:    > Face ID, Touch ID, and Android biometrics can also be used as Built-in Authenticators.    However, once Built-in Authenticators are enabled in the org, the option becomes available for all users and not only privileged users/admins and there seems to be no way available now to currently one enable it for admins. This would result in enabling phishing resistant MFA for all users across the org. We are a bit clueless about how to proceed. Has anyone implemented it successfully and can guide, that would be very helpful. Thanks in advance.    

Are you ready for MFA, Phishing Resistant MFA, Transaction Security Enhancements and Step-Up Authentication for Reports?  

Salesforce is due to enforce these security changes over the next few months.  

Prepare ahead using my how-to guide on Salesforce Ben

#Salesforce Admin #TrailblazerCommunity #Salesforce Developer #Security #MFA #PhishingResistantMFA #TransactionSecurityPolicy #Reports & Dashboards #Trailblazer #AwesomeAdmins

@* Release Readiness Trailblazers * @* Salesforce Developers * @* Salesforce Administrators * @* Salesforce Platform * @* Customer Success * @* APAC Success Central * @Architect Trailblazers @Consultant Trailblazers @Reports & Dashboards

Regarding https://help.salesforce.com/s/articleView?id=005317465&type=1

If we currently have API / integrations setup leveraging user accounts that are configured as Admin profiles, will this requirement break those integrations? or can this be bypassed with permission "Exclude Exempt Users from MFA for Salesforce Orgs"

We're attempting to audit our CORS Origin allowed URLs to see if any of our current allowed URLs are not needed anymore. Is there a way within Event Monitoring, or any other solution, to identify all incoming CORS requests to our org? It's easy to identify violations, but I'm trying to compile a list of the URLs for successful CORS origin requests.

Thank you! 

#Security

The mandatory MFA updates for both Admin and Non-Admin users states " This requirement applies to direct UI and Single Sign-On (SSO) logins." Does this mean user accounts used in OAuth integrations (Login Type Remote Access 2.0) are exempt from this security update. If not, how does this effect these logins/integrations?

Our company has been reading the list of upcoming security changes being enforced in June and July.  While we appreciate Salesforce taking these measures to protect their customers, we feel like we were given very little notice about the upcoming changes.  For the phishing-resistant MFA, none of our laptops have biometrics capabilities.  We are working with our IT department to setup passkeys.  For the discontinuation of the waive MFA permission, we have several bot users that are tied to an external app.   I am really curious how many other customers out there are trying to figure out what to do?  Will Salesforce be offering any kind of guidance or support given the very short amount of time all customers have?   

My office does not have touch or face id on our computers, 

What do you use if you are going to be required to us the Phishing resistant MFA?  

Thanks in advance 

With regards to the upcoming requirements for strong, phishing-resistant MFA: 

Is anyone aware of any documentation on how to setup SSO to a Salesforce org from Microsoft Entra ID in a way that ensures "strong MFA signals" are properly passed to Salesforce in order to meet Salesforce's upcoming MFA enhancements? 

Certainly there are other Salesforce customers that use Microsoft Entra ID, and I hope this is a common scenario that Salesforce or someone has already tested, verified, and can provide guidance on.  

Hello, 

The past few weeks I have had an orange Salesforce Banner stuck at the top of my page. Now, I have a second notification. I keep getting notifications each day for it. It wasn't much of a problem until I learned that all users now have at least one of the 2 banners. Is there a way I can have these removed for all users? I am an admin for my Salesforce, so I don't mind having them. But I need them to be gone for all other users.