Key Points
- Enforce MFA on every admin account, including integration and API users, to block unauthorized access and prevent phishing or credential-stuffing attacks.
- Use strong app-based authentication tools like Salesforce Authenticator, Microsoft Authenticator, or Google Authenticator, or hardware security keys (FIDO2/U2F).
- Disable weaker MFA options such as SMS-based MFA.
- Implement conditional or adaptive MFA policies that trigger only under risky conditions to improve protection without causing MFA fatigue.
- Train admins regularly to identify phishing attempts, resist MFA fatigue attacks, and follow best practices for approving legitimate authentication requests.
- Audit and monitor MFA logs through Salesforce and your IdP to verify compliance, detect bypass attempts, and include these checks in quarterly security reviews.
Salesforce is central to many SMBs’ operations, housing sensitive customer and business data. Because Salesforce admins control access and configurations, their accounts are often prime targets for phishing and credential stuffing.
Because of this, it’s crucial to activate Salesforce MFA for your admin users. Doing this will ensure that your data remains protected from security breaches and bad actors.
A guide to strengthening admin MFA compliance
📌 Prerequisites:
- You need to have access to a Salesforce administrator account.
- You must have existing Salesforce licensing that supports MFA (included in most editions).
- You must have defined offboarding/onboarding policies for Salesforce users.
💡 Note: Optional: You can use a third-party IdP (Okta, Azure AD, Google) for centralized MFA policies.
Step 1: Enforce MFA for all admin roles
You must require MFA on every admin account. This should also include integration accounts, when possible. You can use the built-in MFA options in Salesforce (authenticator apps, U2F keys, SMS fallback) to enforce this.
Each person must also have their own login account. You should avoid using or allowing shared logins as much as possible.
Step 2: Strengthen authentication factors
App-based authenticators (Microsoft Authenticator, Google Authenticator, Salesforce Authenticator) are the preferred method. Use it whenever possible. You should also disable weaker authentication methods, such as SMS codes, to prevent security breaches.
For high-security environments, you can also employ the use of hardware keys. They’re small, physical devices that add an extra layer of authentication and make it harder for security breaches to get through. Authorized personnel have to go to a physical location and actually insert or tap the key into the device to access its contents, which bad actors will have much more trouble accomplishing.
Step 3: Implement conditional MFA policies (via Salesforce or IdP)
Not all situations are created equal. There are times that require more security than others. When admin users are logging in from a new device or from an unfamiliar location or geography, for example, you should enforce stricter MFA practices. This prevents bad actors from logging in with stolen or hacked credentials.
In relation to this, you should also employ adaptive instead of overly restrictive MFA policies. People might get sick of having to constantly log in to their devices over and over again. Instead of prompting them excessively, ensure that MFA policies only trigger when it’s actually necessary.
Step 4: Provide SMB-Friendly admin training
Of course, the individual admins should also pull their weight when it comes to keeping their accounts secure. To help them do that, organize training sessions for the Salesforce admins so they can easily recognize phishing attempts and MFA fatigue. Admins should also know what they’re supposed to do when they encounter suspicious activity and how to report these things to IT administrators.
In these training sessions, mindfulness should be emphasized; users shouldn’t approve unexpected MFA prompts, for example. And to help people remember what they’re supposed to do, you should create short reference guides or knowledge base entries for troubleshooting MFA entries.
Step 5: Monitor and review MFA enforcement
To ensure that admins are complying with your MFA requirements, you must regularly audit the MFA logs within Salesforce. Make sure that all admin accounts have MFA activated. If there are accounts that don’t, address it immediately by talking to that admin and ensuring that they activate MFA for their account.
Include these MFA checks as part of your quarterly security reviews. This ensures that nothing slips through the cracks and that bad actors won’t have an easy time breaching your defenses and accessing your organization’s data.
Step 6: Verification
Validate that all Salesforce admin logins require MFA. Review audit logs for any bypassed or unenforced MFA attempts. If you find any accounts that aren’t compliant, talk to the user immediately and ensure that they activate MFA as soon as possible.
Confirm admins use approved MFA methods (apps or keys, not SMS). If you’re using hardware keys, ensure that you keep track of the keys and that they’re only handed out to trustworthy individuals.
Additional considerations for enforcing MFA compliance from your Salesforce admins
- Some Salesforce-connected apps may not support MFA. In those situations, use scoped integration users and token-based authentication.
- Tie MFA enforcement is usually part of SMB compliance requirements, especially for HIPAA, PCI DSS, and GDPR.
- Standardize MFA enforcement across all Salesforce clients managed by the MSP.
⚠️ Things to look out for
| Risks | Potential Consequences | How to Address Them |
| Admins bypass MFA with legacy apps | Legacy apps may not be as secure, and bypassing MFA may allow bad actors to access your service data. | You need to restrict or upgrade integrations. Admins should only access their accounts through updated and approved apps. |
| MFA fatigue complaints | Users may be less inclined to use MFA and might look for ways to bypass it. | Optimize conditional access rules and reduce unnecessary prompts. |
| Hardware token loss | Without the hardware token, you will not be able to access important data. | Maintain backup methods with admin oversight. |
NinjaOne integrations for enforcing MFA policies
- Documentation: Store MFA enforcement SOPs for Salesforce admins in the NinjaOne documentation platform.
- Automation: Trigger offboarding tasks to remove admin accounts and enforce MFA reassignment.
- Monitoring: Use NinjaOne alerts to track authentication issues across clients.
- Reporting: Incorporate MFA enforcement into QBRs to show compliance progress.
Strengthen security to protect Salesforce MFA admin accounts
Salesforce admins represent a critical risk surface for SMBs. They have access to important permissions that are dangerous in the hands of bad actors. Strengthening MFA policies ensures these high-privilege accounts are protected against modern attacks while supporting compliance and client trust.
Related Links:
