Waive Multi-Factor Authentication (MFA) for Exempt Users in Salesforce via Permission Sets
Вставка
- Опубліковано 7 вер 2024
- Multi-Factor Authentication, or MFA, is a critical component to keep our Salesforce Org secure against bad actors. As of April 2024, MFA is the default login experience on all production Orgs. That is an extremely positive development, but what can we do with accounts that don’t log in through the Salesforce UI? This could be integration or API accounts, those used for Robotic Process Automation, or maybe ones used with testing automation tools like Selenium or Cucumber. There are several valid business use cases where MFA needs to be disabled. Let’s look at how we can keep our Salesforce Org secure but still accommodate the needs of these special accounts.
Setting Up MFA Waivers By User
Setting up MFA waivers against select accounts is as simple as setting up a new Permission Set. Let’s walk through it.
Go to Setup and Permission Sets. Add a new Permission Set by clicking the new button. In the label field, let’s make it clear what our purpose behind this permission set is. In my test environment, I’m going to label this in similar fashion as the actual permission set we’ll be putting into play - Waive MFA for Exempt Users. You can add a description to provide further detail which I’d always recommend as good practice. Hit save. Next, we scroll down to the System section of Permission Sets and find the Systems Permissions link. Once we click through to the Systems Permissions page, we’ll select edit and check the box beside “Waive Multi-Factor Authentication for Exempt Users.” It is the second to last option before you reach the User section. Scroll back up to click Save and then Save once again. Our Permission Set is active, but it’s not really serving its purpose until we assign Users to it.
Assigning Users
To do that we’ll click the Manage Assignments button and select New Assignment. Select the Users you want to assign to this Permission Set. In this case, I’m going to assign the Integration User. Hit next and assign. Notice, Salesforce does offer you the option of setting an expiration date for this assignment. Click Done and our Integration User is officially exempt from MFA triggers. One last note, do not assign this permission to any users that log in to your Salesforce Org through the user interface. You’re creating security holes when you do this.
Thanks for taking a moment to walk through waiving Salesforce MFA access for select accounts. If this content was helpful to you, please take a second to like this video and subscribe to our channel. Lastly, if you are experiencing any challenges in Salesforce where you could use a trusted partner to help you navigate, please reach out to us at improving.com. Our team of Salesforce experts would love to discuss how we can help. I wish you luck fine-tuning your MFA experience. Until next time.
