Enforcement resumes July 6, 2026

Salesforce is enforcing new security requirements this summer.

Phishing-resistant MFA for admins. Mandatory MFA for all employees. Step-up auth on reports. If your Okta or Entra IdP isn't sending the right AMR/ACR signals, your privileged users get blocked — even with SSO working today.

Phishing-resistant MFA

Admins must use passkeys, WebAuthn security keys, or built-in authenticators. TOTP apps no longer count.

MFA for every employee

All internal users must complete MFA — direct UI or SSO. Chatter External and Experience Cloud users are excluded.

SSO must prove it

Salesforce inspects AMR/ACR signals from your IdP. Okta and Entra don't send them out of the box.

"Waive MFA" is dead

The exempt-user permission is disabled. Only Salesforce Support can restore it for automation use cases.

Enforcement calendar

What changes and when

Salesforce staggers enforcement across sandboxes first, then production. Dates below reflect the July 2, 2026 update from Salesforce.

Phishing-Resistant MFA for Privileged Users & Admins
Sandbox
July 6, 2026 (2-day rollout)
Production
July 20, 2026 (15-day rollout)
Critical
MFA Enforcement for All Employee Users
Sandbox
July 6, 2026 (2-day rollout)
Production
July 20, 2026 (15-day rollout)
Critical
Step-up Auth for Report Activities
Sandbox
Enforced June 17, 2026
Production
Enforced July 1, 2026 (30-day rollout)
High
Step-up Authentication for Anomalous Behavior
Sandbox
June 29, 2026
Production
July 13, 2026
High
Transaction Security Policy Enhancements
Sandbox
Enforced June 22, 2026
Production
Enforced July 13, 2026
Rolling out
Email Domain Verification (Phase 2)
Sandbox
June 29 – July 27, 2026
Production
June 29 – July 27, 2026
Rolling out
Block Anonymizing VPNs, Proxies & High-Risk IPs
Sandbox
Applied April 24, 2026
Production
Applied April 24, 2026
Rolling out
Extended Login Anomaly Detections & Containment
Sandbox
Applied early April 2026
Production
Applied early April 2026
Rolling out
The headline change

Phishing-resistant MFA for privileged users

Applies to every user with the System Administrator profile — or any of the Modify All Data, View All Data, Customize Application, or Author Apex permissions. Direct UI logins and SSO logins are in scope, in production and sandboxes.

What satisfies the requirement

  • • FIDO2 / WebAuthn security keys (YubiKey, etc.)
  • • Built-in authenticators (Touch ID, Face ID, Windows Hello)
  • • Cloud-synced passkeys (1Password, iCloud Keychain, Bitwarden)
  • • Certificate-Based Authentication (x.509 / mTLS)
  • • Admin-generated temporary verification codes

What no longer counts

  • • Salesforce Authenticator app for privileged users
  • • TOTP apps (Google Authenticator, Microsoft Authenticator)
  • • SMS, email, or voice call codes
  • • Password-only login
  • • "Waive MFA for Exempt Users" (auto-disabled)

What still works unchanged

  • • JWT Bearer and Client Credentials OAuth flows
  • • API-only integration users (no UI login)
  • • Chatter External / Chatter Free users
  • • External users on Experience Cloud licenses
  • • OAuth Web Server / Hybrid flows still trigger MFA on UI login
AMR / ACR reference

How Salesforce grades your SSO login

For SSO logins, Salesforce reads AMR (Authentication Methods Reference, RFC 8176) and ACR (Authentication Context Class Reference) values from your IdP. Any value in the phishing-resistant list also satisfies Standard MFA.

TierSalesforce direct loginAccepted AMR valuesAccepted ACR valuesResult
Phishing-Resistant MFASecurity Keys (WebAuthn), Built-in Authenticators (Touch ID, Windows Hello), Admin-Generated Temporary Codescert, face, fido, fido2, fpt, hwk, iris, passkey, phr, pki, pop, pwlesspasskey, retina, sc, smartcard, swk, tlsclient, wia, x509fido, fido2, fpt, hwk, passkey, phr, pki, pwlesspasskey, retina, smartcard, swk, tlsclient, wia, x509 Login allowed
Standard MFASalesforce Authenticator, TOTP Apps (Google / Microsoft Authenticator)mfa, mobiletwofactorcontract, multipleauthn, okta_verify, pin, pgp, publickey, rsa, timesynctoken, user, vbmmfa, mobiletwofactorcontract, multipleauthn, okta_verify, pgp, publickey, rsa, timesynctoken, vbm Enroll & retry
Weak / No MFAPassword onlypwd, sms, tel, email Enroll & retry
SAML AMR

Any attribute whose name contains amr or authnmethodsreferences is parsed. Semicolon-separated values (hwk;face;mfa) work; commas don't. URN / URL values split on : or /.

OIDC AMR

Sent as an array (e.g. [hwk, mfa]). Matched with exact, case-sensitive comparison against the accepted list.

ACR (SAML & OIDC)

Evaluated with a lowercase contains() check. Short tokens like mfa match long URNs like urn:oasis:names:tc:SAML:2.0:ac:classes:mfa.

Okta & Microsoft Entra

Your IdP won't send the right signals by default

Both Okta and Entra can enforce phishing-resistant MFA — but neither transmits Salesforce's expected AMR/ACR values without explicit configuration. This is the most common gap causing admin lockouts today.

Identity Provider

Okta

Okta enforces MFA via Authentication Policies, but the SAML/OIDC assertion won't include AMR/ACR unless you map them in the Salesforce app's assertion attributes.

  1. 01In the Okta admin console, open the Salesforce app → Sign On tab.
  2. 02Add an assertion attribute named authnmethodsreferences (SAML) or configure the OIDC amr claim.
  3. 03Emit values from the phishing-resistant list — e.g. hwk, phr, fido2 — when the Okta policy required a FIDO2 / WebAuthn factor.
  4. 04Require a phishing-resistant factor in the Authentication Policy that gates Salesforce.
  5. 05Verify with Salesforce Login History (OIDC) or a SAML tracer (SAML).
Okta FAQ: Salesforce Mandatory MFA Requirements
Identity Provider

Microsoft Entra ID

Entra's default Salesforce enterprise app sends a minimal SAML assertion. AMR/ACR claims and phishing-resistant enforcement via Conditional Access must both be configured explicitly.

  1. 01In Entra admin center, open Enterprise applications → Salesforce → Single sign-on.
  2. 02Add a SAML claim named authnmethodsreferences and populate it from the user's authentication context.
  3. 03Create a Conditional Access policy requiring an authentication strength that includes only phishing-resistant methods (FIDO2 keys, Windows Hello, passkeys, certificate-based auth).
  4. 04Scope the policy to the Salesforce enterprise app and to your admin / privileged user group.
  5. 05Confirm ACR / AMR delivery using a SAML tracer or, for OIDC, Salesforce Login History.
Microsoft Entra: Configure Salesforce SSO

Reality check: If your IdP is enforcing phishing-resistant MFA but isn't sending the AMR/ACR signal, Salesforce will still prompt privileged users to enroll a Salesforce passkey — or block them. Test with a real admin account in a sandbox before the July 6 sandbox enforcement date.

Admin prep

Nine steps to pass enforcement

Work through these before your sandbox enforcement date. Each item maps directly to guidance from the Salesforce Help article on phishing-resistant MFA.

  1. Run a report to identify every user with System Administrator, Modify All Data, View All Data, Customize Application, or Author Apex.

  2. Enable Security Keys and Built-in Authenticators in Identity Verification setup.

  3. Turn on "Allow passwordless login with passkeys" for the fastest admin experience.

  4. Audit "Waive MFA for Exempt Users" assignments and open a Salesforce Support case for any that must remain (automation, testing tools).

  5. Configure your IdP to emit the correct AMR / ACR values on Salesforce logins.

  6. Verify OIDC AMR in Salesforce Login History; use a SAML tracer for SAML ACR (Login History for SAML ACR is not yet available).

  7. Pre-register admins with a phishing-resistant verifier before the sandbox enforcement date.

  8. Test the end-to-end SSO flow with an admin account in a sandbox first.

  9. Document a lockout recovery playbook: another admin can issue a temporary code; if no other admin exists, contact Salesforce Support.

Verify in Salesforce

Step-by-step: prove your AMR/ACR signals are landing

Six checks in order. Each one tells you exactly where in the Salesforce UI to look and what a passing vs failing signal looks like — so you can validate SSO before enforcement flips on.

1. Confirm the login was SSO (not direct)

Setup → Users → Login History
  1. 01Add columns: Username, Login Time, Auth Method Reference, Login Type, Status, Application.
  2. 02Filter Login Type = SAML Idp Initiated or SAML SP Initiated (or OpenID Connect).
  3. 03Locate the specific user + timestamp you want to verify.
Evidence of pass

The row's Login Type is a SAML/OIDC value and Status is Success. Direct UI logins won't have IdP-supplied AMR/ACR — Salesforce evaluates the local factor instead.

Red flag

Login Type = Application shows the user bypassed SSO with a Salesforce password — MFA policy applies locally, not via IdP claims.

2. Read the Auth Method Reference column

Setup → Users → Login History (same row)
  1. 01Look at the Auth Method Reference value on the SSO login row.
  2. 02Compare it against the accepted lists in the AMR/ACR table above.
  3. 03For privileged users, at least one value must be phishing-resistant (e.g. fido2, passkey, hwk, wia, x509).
Evidence of pass

A value like fido2, passkey, hwk, or wia appears — that login satisfies phishing-resistant MFA.

Red flag

Column is blank, or shows only mfa, okta_verify, pwd, or sms — the IdP is not sending a phishing-resistant signal and the user will be blocked after enforcement.

3. Inspect the raw SAML assertion or OIDC id_token

Setup → Identity → Identity Provider Event Log
  1. 01Open the event for the target login and expand SAML Assertion (or ID Token for OIDC).
  2. 02For SAML: find <AttributeStatement> — look for an Attribute whose Name contains amr or authnmethodsreferences, plus an <AuthnContextClassRef>.
  3. 03For OIDC: copy the id_token, decode at jwt.io, read the amr array and acr claim.
  4. 04If the event log is disabled, temporarily enable SAML Assertion Validator (Setup → Single Sign-On Settings → SAML Assertion Validator) and re-run the login.
Evidence of pass

You can see the exact claim your IdP sent: e.g. <Attribute Name="authnmethodsreferences"><AttributeValue>hwk;fido2</AttributeValue></Attribute> or "amr": ["fido2", "hwk"].

Red flag

No amr / authnmethodsreferences attribute exists, or values are comma-separated instead of semicolon-separated (SAML). Salesforce won't parse commas.

4. Cross-check the AuthnContext / acr value

Same assertion view
  1. 01In SAML, read the <AuthnContextClassRef> inside <AuthnStatement>.
  2. 02In OIDC, read the top-level acr claim.
  3. 03Confirm it contains one of the accepted ACR tokens (e.g. fido2, phr, wia, x509). Substring match is case-insensitive.
Evidence of pass

A value like urn:oasis:names:tc:SAML:2.0:ac:classes:fido2 or acr = "phr" is present.

Red flag

AuthnContextClassRef is urn:...:PasswordProtectedTransport or acr = "mfa" only — accepted for Standard MFA users, blocked for admins.

5. Reproduce with the SAML Assertion Validator

Setup → Single Sign-On Settings → SAML Assertion Validator
  1. 01Capture the base64 assertion from your browser's dev tools (Network tab, SAMLResponse form field) or from the IdP's debug log.
  2. 02Paste it into the validator and click Validate.
  3. 03Review the parsed AMR/ACR values Salesforce actually extracted.
Evidence of pass

The validator shows the AMR values it parsed and marks the login as satisfying phishing-resistant MFA.

Red flag

Validator lists the attribute but Extracted Values is empty — check the delimiter (must be semicolons) and the AttributeValue element structure.

6. Test end-to-end with a pilot admin

Sandbox → any Setup page requiring an admin
  1. 01In a sandbox, enable Phishing-Resistant MFA enforcement for privileged users (Setup → Identity Verification).
  2. 02Have a pilot admin sign in via SSO using a phishing-resistant factor (passkey, security key, Windows Hello, Touch ID).
  3. 03If the session is granted, the full chain works. If blocked, the error page names which check failed.
Evidence of pass

Admin lands on the Setup home page without a step-up prompt. Login History shows a phishing-resistant AMR value on that login.

Red flag

Admin sees "Your identity provider hasn't asserted a phishing-resistant authentication method" — go back to step 3 and fix the IdP claim before July 20, 2026.

Copy-paste evidence

Debug log & assertion samples

Real-shaped snippets you can paste next to your own logs to spot the difference between a phishing-resistant pass and a silent fail. Each sample tells you exactly where in Salesforce it comes from.

SAML assertion — phishing-resistant PASS

xmlSetup → Identity → Identity Provider Event Log → SAML Assertion
<saml:AttributeStatement>
<saml:Attribute Name="authnmethodsreferences"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xsi:type="xs:string">hwk;fido2;phr</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
<saml:AuthnStatement AuthnInstant="2026-07-06T14:22:19Z">
<saml:AuthnContext>
<saml:AuthnContextClassRef>
urn:oasis:names:tc:SAML:2.0:ac:classes:fido2
</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>

Look for: Values are semicolon-separated (not comma). AuthnContextClassRef contains fido2 — Salesforce's substring match satisfies the ACR check.

SAML assertion — FAIL (Standard MFA only)

xmlSame event log — blocked admin login
<saml:AttributeStatement>
<saml:Attribute Name="authnmethodsreferences">
<saml:AttributeValue>mfa,okta_verify</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
<saml:AuthnStatement>
<saml:AuthnContext>
<saml:AuthnContextClassRef>
urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>

Look for: Two problems: values are comma-separated (Salesforce won't split them) and the only method is Okta Verify push. Fix the delimiter and enroll the admin in FastPass/FIDO2.

OIDC id_token — decoded payload (PASS)

jsonCopy id_token from Login History → paste at jwt.io
{
"iss": "https://login.microsoftonline.com/{tenant}/v2.0",
"sub": "a1b2c3d4-...",
"aud": "3MVG9...salesforce-client-id",
"email": "admin@example.com",
"amr": ["fido2", "hwk", "mfa"],
"acr": "urn:mace:incommon:iap:silver;phr",
"auth_time": 1783359739,
"exp": 1783363339
}

Look for: amr is a JSON array (not a string). At least one value (fido2, hwk) is in the phishing-resistant list — login is allowed for admins.

Login History (SOQL) — find the AMR column

sqlDeveloper Console → Query Editor, or Workbench
SELECT Id, UserId, LoginTime, LoginType, Status,
AuthMethodReference, Application, SourceIp
FROM LoginHistory
WHERE LoginTime = LAST_N_DAYS:1
AND LoginType IN ('SAML Sp Initiated', 'SAML Idp Initiated',
'OpenID Connect')
ORDER BY LoginTime DESC
LIMIT 50

Look for: AuthMethodReference is the exact value Salesforce parsed from your IdP. Empty on an SSO row = no AMR claim was sent. Use this query to bulk-audit admins before enforcement.

Anonymous Apex — audit privileged users still on weak MFA

apexDeveloper Console → Debug → Open Execute Anonymous
List<LoginHistory> risky = [
SELECT UserId, LoginTime, AuthMethodReference, LoginType
FROM LoginHistory
WHERE LoginTime = LAST_N_DAYS:7
AND UserId IN (
SELECT AssigneeId FROM PermissionSetAssignment
WHERE PermissionSet.PermissionsModifyAllData = true
)
];
Set<String> ok = new Set<String>{
'fido2','passkey','hwk','wia','x509','phr','smartcard','pki'
};
for (LoginHistory lh : risky) {
Boolean pass = lh.AuthMethodReference != null
&& ok.contains(lh.AuthMethodReference.toLowerCase());
System.debug('User=' + lh.UserId + ' AMR=' + lh.AuthMethodReference
+ ' PhishingResistant=' + pass);
}

Look for: Run in sandbox and production. Any PhishingResistant=false row for a Modify All Data user will be blocked on July 20, 2026 unless their IdP starts asserting a stronger factor.

Debug log — enable & filter for auth events

textSetup → Debug Logs → New (User = the affected admin)
# Trace flag levels (set on the user before they log in)
System=DEBUG; Security=FINEST; Workflow=NONE; Validation=INFO
Callout=INFO; ApexCode=NONE; Database=INFO
 
# After the failed login, open the log and search for:
|SAML_ASSERTION|
|AUTH_METHOD_REFERENCE|
|AUTHN_CONTEXT_CLASS_REF|
|PHISHING_RESISTANT_MFA|
 
# A passing entry looks like:
14:22:19.301 |AUTH_METHOD_REFERENCE|values=[fido2, hwk]|source=SAML
14:22:19.301 |PHISHING_RESISTANT_MFA|result=SATISFIED|matched=fido2
 
# A failing entry looks like:
14:22:19.301 |AUTH_METHOD_REFERENCE|values=[]|source=SAML
14:22:19.301 |PHISHING_RESISTANT_MFA|result=BLOCKED|reason=NoAcceptedAmrOrAcr

Look for: The Security category at FINEST is the only level that emits AUTH_METHOD_REFERENCE and PHISHING_RESISTANT_MFA lines. Debug logs auto-expire — set a 30-minute trace flag right before the pilot admin logs in.

Decision tree

Pinpoint the root cause in under a minute

Answer five yes/no questions about a failing login. The tree isolates whether the problem lives at the Identity Provider, in the SAML/OIDC claim mapping, or inside Salesforce's own policy enforcement.

Step 1 of 5
Question

Is the affected user actually reaching Salesforce via SSO on the failing login?

Where to check: Check Setup → Users → Login History. Login Type should be SAML Idp Initiated, SAML Sp Initiated, or OpenID Connect.

Your path
  1. 1
    Is the affected user actually reaching Salesforce via SSO on the failing login?
Categories this tree isolates
  • IdP — Okta/Entra isn't asserting the factor, or is asserting a weak one.
  • Mapping — Claim reaches Salesforce but delimiter or attribute name is wrong.
  • Salesforce — Signal is fine; a policy, session level, or profile config is blocking.
Troubleshooting

FAQ: Okta, Entra & verifying AMR/ACR

The questions admins hit first when SSO logins start getting blocked. Each answer maps to something you can check in Salesforce, Okta, or Entra right now.

AMR/ACR

How do I verify what AMR/ACR values my IdP is actually sending?

In Salesforce, open Setup → Identity → Identity Provider Event Log (or Login History with the SAML Assertion / OIDC ID Token columns). Pick a recent SSO login for a privileged user and inspect the raw assertion. For SAML, look for an AttributeStatement whose Name contains amr or authnmethodsreferences, and an AuthnContextClassRef element. For OIDC, decode the id_token at jwt.io and read the amr array and acr claim. If neither appears, your IdP isn't sending them — no amount of Salesforce config will help until the IdP is fixed.

Salesforce

A privileged user is blocked at login even though SSO works. What do I check first?

Confirm three things in order: (1) the user actually authenticated with a phishing-resistant factor at the IdP (passkey, security key, Windows Hello, Touch ID) — a fresh password + push does not count; (2) the IdP included that factor in the AMR/ACR claim on this specific login (check the assertion); (3) the value sent matches Salesforce's accepted list exactly, case-sensitive for AMR. A common failure is the IdP sending mfa only, which satisfies Standard MFA but is blocked for admins.

Okta

Okta says WebAuthn was used, but Salesforce still blocks the admin. Why?

Okta does not include AMR or ACR in SAML assertions by default. Open the Salesforce app in Okta → Sign On → SAML 2.0 → Attribute Statements and add authnmethodsreferences with a value like appuser.authnMethodReferences (or a hardcoded hwk;fido2;phr for testing). For OIDC, enable the Include AMR claim option on the OpenID app and confirm claims like fido2, hwk, or phr appear. Use Okta's System Log → filter on Authentication of user via SAML/OIDC to see the assertion payload sent to Salesforce.

Okta

Okta Verify push is authenticating my admin — is that OK?

No. Okta Verify push and TOTP are Standard MFA (okta_verify, mfa) and are blocked for privileged users. Enroll the admin in FastPass with biometric + device-bound key, or a FIDO2 security key. In the Okta Authenticator policy, require Possession factor is hardware protected and Phishing-resistant for the Salesforce app.

Entra

Entra Conditional Access is enforcing MFA, so why does Salesforce still block admins?

Enforcing MFA in Conditional Access doesn't automatically send the AMR/ACR claim to Salesforce. In Entra → Enterprise Applications → Salesforce → Single sign-on → Attributes & Claims, add a claim named http://schemas.microsoft.com/claims/authnmethodsreferences sourced from user.authenticationmethods, and an authnContextClassRef claim. Then create a Conditional Access → Authentication Strength policy requiring Phishing-resistant MFA scoped to the Salesforce app.

Entra

Which Entra Authentication Strength should I assign to Salesforce?

Use the built-in Phishing-resistant MFA strength (passkeys, Windows Hello for Business, FIDO2 keys, CBA). Assign it to a Conditional Access policy targeting the Salesforce enterprise app and the group of privileged Salesforce users. Verify with a test admin: sign-in log → Authentication Details should show fido2 or windowsHelloForBusiness, and the outbound SAML/OIDC claim should include a matching AMR value like fido2 or hwk.

AMR/ACR

My IdP sends amr as a comma-separated string in SAML. Why isn't it matching?

Salesforce splits SAML AMR attribute values on semicolons, not commas. Send hwk;fido2;mfa (semicolon separated) or send each value as its own <AttributeValue> element inside the same Attribute. URN- or URL-shaped values (e.g. urn:ietf:params:oauth:...:hwk) are additionally split on : and /, so the trailing token is what gets matched.

Salesforce

Where in Salesforce can I confirm a login was accepted as phishing-resistant?

Setup → Users → Login History. Add the Authentication Method Reference and Login Type columns. For a phishing-resistant SSO login you should see a value from the accepted AMR list (e.g. fido2, passkey, hwk, wia). If the column is empty on an SSO login, the IdP sent nothing — the login will be blocked once enforcement begins.

Salesforce

Can I test this before the July 2026 enforcement date?

Yes. In a sandbox, go to Setup → Identity Verification → Enable Phishing-Resistant MFA for privileged users. Have a test admin sign in via SSO and confirm the assertion contains a phishing-resistant AMR/ACR value. If it doesn't, the login is blocked immediately — that's your regression signal. Fix the IdP, retest, and roll the same claim configuration to production before July 20, 2026.