Salesforce begins sandbox enforcement of phishing-resistant MFA and report export step-up on June 22, 2026
Salesforce is enforcing two security changes today, June 22, 2026: phishing-resistant multi-factor authentication (MFA) for privileged users in sandboxes and step-up authentication on report exports, with production enforcement to follow in July, as outlined in Arkus’ enforcement note.
Salesforce enforces phishing-resistant MFA for admins and other privileged users
Salesforce will now require built‑in authenticators such as Touch ID or Windows Hello or a FIDO2 security key for users with elevated permissions, including System Administrators and roles holding Modify All Data or Customize Application. The schedule and scope are laid out in the Salesforce Ben 2026 security roadmap, which confirms sandbox enforcement from June 22 and production to follow in July.
Step-up authentication now gates report exports across orgs
Salesforce is introducing time‑based step‑up authentication when users export reports, adding a second check even if users already completed MFA at login. Admins can see the mechanics and recent refinements in the help article on step‑up authentication for report actions. For teams that need a quick summary of what changes for exports starting this week, the CloudAnswers guidance on the report‑export policy provides clear examples to test in sandboxes before July.
What changes now in sandboxes and what to expect for production orgs in July
In practice, privileged users who have not registered a phishing‑resistant method will be blocked from logging into sandboxes once the instance flips to enforcement. Report exports will begin triggering step‑up challenges on a session cadence determined by policy. Salesforce explains the policy rationale and broader rollout-covering MFA hardening, anomaly detection, and export controls-in its platform security update for June.
Why Salesforce is tightening controls after third‑party OAuth abuses
A common issue targeted in recent campaigns has been exfiltrating CRM data via compromised OAuth tokens in connected apps. That context helps explain the new guardrails on exports and privileged logins, as tracked by coverage of ongoing Salesforce ecosystem data thefts linked to the Klue app compromise.
Immediate impact on SSO, API workflows, and admin runbooks
- SSO is not a carve‑out. IdPs must assert phishing‑resistant methods through AMR/ACR; otherwise users will see additional prompts once enforcement hits.
- UI report exports prompt for a step‑up challenge. Large or automated extracts should be tested, and where Shield or Event Monitoring is licensed, set a Transaction Security Policy that fits your thresholds rather than waiting for a one‑size‑fits‑all default.
- Plan for hardware keys. In practice, most teams provision two per privileged user to avoid lockouts from loss or device refreshes.
Timeline: sandboxes today, production through July
- June 22, 2026: Sandbox enforcement begins for phishing‑resistant MFA for privileged users, and export step‑up challenges roll forward by instance. The dates and scope are summarized in Arkus’ enforcement guide.
- July 2026: Production enforcement phases in by instance, as detailed in the Salesforce Ben schedule.
How admins can de‑risk this week’s cutover
- Enable and require built‑in authenticators or security keys for all users with admin‑level or equivalent permissions.
- Confirm your IdP is passing phishing‑resistant AMR/ACR claims for SSO logins.
- Create a Transaction Security Policy for ReportEvent that matches real usage so legitimate exports do not stall.
- Test report exports via UI and any BI or middleware jobs that call the Reports API to verify step‑up behavior.
- Communicate recovery paths for lost keys and pre‑stage backup methods while keeping to phishing‑resistant options.
Share With Others
