Starting February 3, 2026, if your organization uses Salesforce with Microsoft Entra ID via SAML, you may notice unexpected additional authentication prompts. Here's what you need to know and how to prepare.
What's changing?
Salesforce is enforcing new device activation requirements for SSO (Single Sign-On) connections. This measure aims to strengthen security for platform access.
Microsoft's solution
Good news: Microsoft has worked closely with Salesforce to meet this requirement.
Entra ID now includes by default the authnmethodsreferences claim in the SAML token. When this claim contains the multipleauthn value, Salesforce considers the device trusted and will not request additional authentication.
What you need to do
Action required: Ensure your Conditional Access policy enforces MFA for the Salesforce application.
This is essential for the claim to be issued in the SAML token and for SSO to work as expected, without friction for your users.
Recommended steps
- Review your Conditional Access configuration in Microsoft Entra ID
- Enable multi-factor authentication (MFA) for the Salesforce application if not already done
- Test the SSO connection with a few pilot users before full deployment
- Communicate the change to your teams to avoid any surprises
Official resources
For more technical information and detailed configuration guides, see:
- Salesforce documentation on device activation changes
- Microsoft tutorial: Configure Salesforce for SSO with Microsoft Entra ID
Comments