With Salesforce’s recent requirement of enabling multi-factor authentication (MFA) to access Salesforce products, we wanted to share how Azure Active Directory can support you on this journey. With organizations supporting hybrid work and employees using a variety of applications to get work done, it’s critical to ensure access to these applications like Salesforce is protected.
Jonathan Lyon, Principal Program Manager, from our Identity Alliances team, will take you through just how you can meet Salesforce’s new requirements and ensure access to Salesforce products are protected.
--------------------
The old security paradigm of firewalls, silos, and passwords has left many organizations vulnerable during the ongoing shift to hybrid work. Threat actors - always quick to spot an opportunity - have noticed that identity is one of the fastest ways to break into a corporate network. Because of the plethora of stolen credentials littering the dark web, identity fraud (i.e., account takeover or business email compromise) has become the most common form of identity attack. As a recent security analysis sees it: “Identity remains the key for access into the network … There is no greater certainty that attacks on and with identities will increase in 2022.”*
Across all sectors, forward-thinking organizations have recognized that Zero Trust security is the best approach for quickly detecting and responding to threats in today’s borderless digital estate. With Zero Trust in mind, Salesforce has announced that beginning February 1, 2022, the company will now require all customers to enable multi-factor authentication (MFA) to access Salesforce products. As part of Microsoft’s mission to enable security for all, we’re happy to help Salesforce customers make MFA and single sign-on (SSO) easy using Microsoft Azure Active Directory (Azure AD).
With more than 150,000 customers and a market cap surpassing $200 billion, Salesforce isn’t about to take chances with security. The risks are too great for a major cloud company, or any business, to rely on an employee’s choice of a few digits and letters to protect an entire enterprise. Passwords are easily hacked. The ransomware attack against JBS USA was enabled by just such a breach—a neglected admin account left to linger with a weak password—that ended up costing the company $11 million. These kinds of “brute force” attacks rose 671 percent in June of 2021. In fact, Azure AD detected and blocked more than 25.6 billion attempts to hijack enterprise customer accounts by brute-forcing stolen passwords between January and December 2021.
Microsoft provided a way out of the password trap in 2021 by making passwordless sign-in generally available for commercial users. That means Microsoft customers can now completely remove the password from their account, and instead sign in using:
MFA is proven to prevent 99.9 percent of identity-related attacks. Despite this, only 22 percent of Azure AD customers had already implemented MFA by the end of 2021. As the engine of MFA, Conditional Access is built directly into Azure AD as the heart of our identity-driven control plane, bringing signals together to enable lightning-fast enforcement of your organizational policies.
Microsoft customers can use Azure AD to authenticate into Salesforce or any other application by choosing from a range of flexible authentication methods, such as biometrics, the Authenticator app, texts, calls, or one-time passcodes. (Note: Salesforce does not allow SMS or phone verification because voice and text are the least secure.) When you integrate Azure AD with Salesforce for SSO and MFA, you can:
To learn more about enabling MFA in Azure AD, see the complete tutorial.
After the requirement deadline (dates vary by product), Salesforce will begin enforcement by removing controls for admins to disable MFA according to the company’s Enforcement Roadmap. At present, Salesforce is only enforcing the new requirement contractually. Meaning, customers who don’t enable MFA won’t be able to renew their agreements. Technical enforcement may come later.
To satisfy the new requirement, Salesforce customers must do one of the following:
Customers can also use the Salesforce MFA Requirement Checker to make sure their implementation meets the company’s requirements. Also, learn about authentication and verification methods available in Azure AD.
In the following steps, we’ll walk through creating a Conditional Access Policy that enforces MFA for your Salesforce users.
4. Click New Policy, then select Create New Policy.
5. Enter a name for your policy.
6. Under Assignments, select Users or workloads identities.
7. Choose Select users and Groups. Next, select which users, or a group of users, that use Salesforce. Once you’ve selected the users or groups you want, click select.
8. Select Cloud apps or actions.
9. Choose the Select apps option, then search for Salesforce. Click Select. (You could specify some conditions if you wanted, but for this example we will leave the conditions.)
10. Under Access Controls, select Grant.
11. Select Grant Access and tick the Require multi-factor authentication option. Then click Select.
The last step is to enable the policy.
12. Change the option from Report-Only to On. Then click Create.
This rule will now take effect, and all selected users will now use MFA every time they sign into Salesforce.
Note: If this is your first Conditional Access Policy, you may get the message shown below.
To disable security defaults in your directory:
Azure AD enables more than frictionless MFA. You’ll benefit from secure, seamless access for all your users from any location or device, including:
Azure AD provides easy integration with other widely used apps, including Adobe, AWS, Dropbox, SAP Concur, ServiceNow, and many more. Learn how you can enjoy simple, secure MFA across Salesforce and many more of your enterprise apps—access reliable, scalable identity services with Azure Active Directory single sign-on.
*Security Week, Cyber Insights 2022: Identity
Learn more about Microsoft identity:
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.