Salesforce Security Enforcement: Partners Are Frustrated. Here’s Why.
Salesforce is enforcing a sweeping set of security controls between June and August 2026. If you’ve been anywhere near the partner community lately, you know it hasn’t gone smoothly. The technical breakdown of what’s being enforced and when has been covered extensively. We don’t want to beat a dead horse; this post is about what it has actually cost the partner ecosystem to get here, what’s still being clarified in real time, and what needs to change.
Nobody in the partner community is disputing that Salesforce needed to make some changes. The security threat was real, the breaches were serious, and the platform needed a stronger security plan in 2026. What partners are disputing is how it was handled. Rushed timelines, shifting guidance, misinformation flowing through official support channels, and an architectural burden dropped on ISVs and integrators with little warning. The security direction was right; the execution is what broke trust. Let’s talk about it.
The Cost of How This Rollout Was Handled
Salesforce knows that the communication and execution around this rollout were handled poorly. That’s an understatement for many in the ecosystem who have been living the fallout.
Partners were given just 8 working days to implement refresh token idle timeouts and IP allowlisting. Teams dropped billable client work to rush deployments for buggy backend tools, all under threat of AppExchange delisting. Certain partner apps had already been actively compromised in recent breaches, and because those apps sit across large numbers of customer orgs, leadership prioritized speed. The rationale is understandable. The execution left partners absorbing costs that better communication could have prevented.
And it didn’t stop there. Critical details kept changing after the fact, leaving partners scrambling to keep up while simultaneously managing client anxiety, correcting misinformation from Salesforce support and AEs, and trying to do their actual jobs.
When Communication Failed the Ecosystem
One recurring problem has been the passkey confirmation saga. It took weeks to get a definitive answer on whether synced passkeys from tools like 1Password would qualify as phishing-resistant MFA. Peter Churchill, a Salesforce partner who was in the thick of it, said:
The frustration extends well beyond shortened timelines. Gaurav Kheterpal, Founder and CEO of Vanshiv Technologies, mentioned an even deeper architectural concern:
The concern isn’t security itself—it’s the absence of a partner-friendly path that delivers the same level of security without introducing so much implementation friction.” – Gaurav Kheterpal (Founder & CEO – Vanshiv Technologies)
What’s Still Being Clarified in Real Time
The information landscape around these controls has been a moving target. Here are several clarifications:
Step-up authentication is more targeted than initially understood. The control triggers when a user exports or prints a report, not simply when the Reports tab is accessed or a report is viewed. That’s an important distinction for partners advising clients on impact and user experience.
An IP configuration option is also coming as a compensating control in lieu of step-up, with rollout beginning June 29. This gives orgs an alternative path to compliance that may reduce issues for certain user populations.
On user scope, two clarifications are worth knowing:
- Partner Community users are confirmed external users and are not subject to MFA, phishing-resistant MFA, or step-up controls.
- Chatter Plus users, however, are confirmed internal users and are subject to all three: MFA, phishing-resistant MFA, and step-up controls.
These are exactly the kinds of details that should have been in the original rollout documentation. Instead, they’re emerging weeks in through partner escalations.
What Salesforce Needs to Do Differently
Salesforce has committed that once this initial wave of enforcement concludes, future security updates will rely on a tiered, compensating-controls model rather than emergency single-control mandates. Partners will be watching closely to see if that promise holds.
But the commitment needs to go further than timeline management. The partner ecosystem needs earlier access to technical specifics before enforcement windows open, accurate information flowing through support and AE channels so partners aren’t spending hours correcting the record with clients, and a clearly defined partner-friendly compliance path that delivers equivalent security without introducing unnecessary implementation holdups.
The security imperative is very real. The ShinyHunters breaches were serious. AI is accelerating the attacker side in ways that demand a platform-level response. Nobody credible is arguing against stronger security controls. What the ecosystem is asking for is a seat at the table early enough to actually matter. They want communication that treats partners as the force multipliers they are rather than an afterthought to a rollout that’s already in motion.
What to Do Right Now
If you’re a partner still working through enforcement prep with your clients, the full technical breakdown of all five controls, including enforcement dates, setup locations, and user-specific guidance, is in our complete Salesforce security enforcement guide.
The short version: audit client orgs for MFA waiver permissions and verify SSO configurations are passing AMR/ACR signals. Identify every privileged user and get them set up with a qualifying phishing-resistant method before July 1 (for production). And make sure every report user has at least one Salesforce-side verification method configured before step-up enforcement hits.
If you have feedback, war stories, or clarifications that the broader community should know, share them below. This is still a developing story.
