Salesforce Security Updates and MFA Requirements

Salesforce is implementing several critical security updates throughout June and July 2026:

  • Mandatory Multi-Factor Authentication (MFA)
  • Step-up Authentication for Reports
  • Anonymizing Proxies and High-Risk IP Addresses
  • Transaction Security Policies (TSP) - Shield or Event Monitoring Customers only

Salesforce has been updating these requirements frequently and without advance notice. We recommend regularly reviewing the official Salesforce documentation to stay informed of the latest changes and timelines.

Veeva is committed to providing timely guidance and updates as new information becomes available. However, because this enforcement is managed entirely by Salesforce, requirements, rollout schedules, and enforcement timelines may change independently of Veeva and without prior notice.

Mandatory Multi-Factor Authentication (MFA)

Starting in June and July of 2026, Multi-Factor Authentication (MFA) will be required for all users in Sandbox & Production orgs, including admins. Ensure MFA is fully configured for your users ahead of the deadlines below. While phishing-resistant MFA is not required for standard (non-privileged) users, it is strongly recommended.

  • SSO Users - Salesforce will require signals confirming that a Standard MFA or Phishing-Resistant MFA method was used at the Identity Provider (IdP) level. If those signals are not present, the user will be prompted to enroll a compliant method in the Salesforce UI. We recommend working with your SSO/identity team to confirm whether the appropriate signals are already being sent.
  • Integration/API Users - As of today, MFA is not enforced for API logins. If an integration user logs in through the UI, MFA will apply to those sessions.

The Waive Multi-Factor Authentication for Exempt Users permission will no longer automatically exempt users from MFA. After this change, users with this permission will be prompted to enroll and use an MFA verifier at login.

iPad-Specific Guidance

  • Delegated Authentication - The native Veeva CRM iPad app login screen is not affected
  • "Use Custom Domain" - This initiates an OAuth/UI login flow, which will trigger MFA
  • “Go Online” logins - Any login via a mobile browser is subject to MFA, regardless of the authentication method

Enforcement dates:

  • Sandboxes: Starting June 22, 2026, staggered over ~7 days
  • Production: Starting July 20, 2026, staggered over ~30 days

Refer to Salesforce's article on Prepare for MFA Enforcement for All Employee Users for additional details.

Step-Up Authentication for Reports

Salesforce is implementing identity verification for high-sensitivity report actions. Ensure each of your users has at least one of the following:

  • A supported MFA verification method registered with Salesforce
  • A current email address
  • A mobile phone number registered to their login

Step-up Authentication in Anomalous Report Export

Most users will not experience any change in their day-to-day workflow. This is a machine-learning, risk-based security control that Salesforce uses to detect potentially suspicious report activity and require additional verification in real time.

Salesforce monitors report usage behavior for suspicious or unusual activity. If Salesforce detects anomalous behavior (for example, unusual report exports or activity patterns), it can immediately require an additional MFA challenge. This can happen even if the user recently completed a step-up MFA. The enforcement is dynamic and based on Salesforce’s internal risk models.

Salesforce rolls this change out via a gradual activation plan, starting with a report-only mode before full auto-containment actions.

Enforcement dates:

  • Sandboxes: Starting June 22, 2026
  • Production: Starting July 13, 2026

Refer to Salesforce’s articles on Prepare for Step-up Authentication in Anomalous Report Export for additional details.

Step-up Authentication on Report Actions

This is a predictable, time-based re-authentication policy that Salesforce is enforcing for report access and exports.

This is a standardized security policy that applies to all users. Salesforce requires users to re-authenticate with MFA after a configurable amount of time has passed (default: 120 minutes).

The MFA challenge occurs when users run or view reports. This happens even if:

  • The user already logged in with MFA
  • The user is on SSO
  • Or the user is on a trusted corporate network

Admins can configure the re-authentication window within Salesforce-defined limits.

Enforcement dates:

  • Available in Sandboxes: Starting May 27, 2026, staggered over ~ 7 days
  • Available in Production: Starting May 27, 2026, staggered over ~ 15 days
  • Enforced in Sandboxes: Starting June 3, 2026, staggered over ~ 7 days
  • Enforced in Production: Starting June 10, 2026, staggered over ~ 20 days

Refer to Salesforce’s articles on Prepare for the upcoming Step-up Authentication requirements on Report Actions for additional details.

Anonymizing Proxies and High-Risk IPs

Salesforce is expanding its automated security protections to detect and block connections originating from anonymizing VPNs, proxies, and other high-risk IP addresses. These protections now apply to Connected Apps and API traffic in addition to standard user login activity.

  • If Salesforce detects a connection from a high-risk or anonymized IP address, Salesforce may automatically freeze the affected user account, revoke OAuth refresh tokens, and block further access until the account is reviewed and restored by a Salesforce administrator.
  • Customers should review any integrations, middleware, VPN configurations, proxy services, or automated processes that connect to Salesforce APIs or Connected Apps to ensure they are not routing traffic through anonymizing or high-risk network services.

Because this enforcement is managed entirely by Salesforce, detection criteria and enforcement behavior may change without prior notice from Veeva.

Enforcement was announced and deployed at the end of April. Users found in violation will have their accounts frozen. Both the affected user and the org's admins will receive an email with instructions on next steps on how to resolve.

Refer to Salesforce’s article on Preventing Connections from Anonymizing VPNs, Proxies and High-Risk IP Addresses for additional details.

Transaction Security Policies (TSP)

This applies only to customers using Salesforce Shield or Event Monitoring.

If your org has Shield or Event Monitoring enabled and does not already have a Transaction Security Policy (TSP) restricting large data exports, Salesforce will automatically add and enable one in June 2026. We recommend reviewing your current policies now to avoid any unexpected changes.

Enforcement dates:

Availability of new Permission and default TSP:

  • Sandboxes: Starting June 1, 2026
  • Production: Starting June 15, 2026

Enforcement of new Permission and default TSP:

  • Sandboxes: Starting June 22, 2026
  • Production: Starting July 13, 2026

Refer to Salesforce’s article on Prepare for Transaction Security Policy Enhancements for additional details.

Additional Resources

For a comprehensive overview of all upcoming changes, refer to Salesforce's security updates page. This page is updated regularly — we recommend monitoring the Change Log table for the latest information.

If you have any questions or concerns, please contact Veeva Support. Please note that because MFA enforcement is managed entirely by Salesforce and MFA is tied to individual Salesforce user accounts, troubleshooting and remediation options for MFA are limited.