Salesforce’s recent security updates swiftly address emerging threats by hardening app integrations, tightening certificate trust, enforcing stronger authentication, and enhancing threat detection—ensuring your org stays secure by default while adapting to the shifting cybersecurity landscape.
Salesforce has proactively disabled the creation of new Connected Apps by default in its Spring ’26 release, curbing a frequent target for unauthorized integrations. Instead, organizations are encouraged to adopt External Client Apps (ECA), which offer a more secure, modern integration framework. Existing Connected Apps remain unaffected, but migrating to ECAs is strongly advised.
In tandem, Salesforce now blocks uninstalled Connected Apps by default and enables administrators to audit denied attempts. This visibility helps admins quickly differentiate between benign misconfigurations and possible intrusion attempts.
Starting February 5, 2026, Salesforce has shifted to the DigiCert Global Root G2 certificate chain for inbound TLS connections. Systems that don’t trust this root may face API failures or broken browser access to Salesforce.
Moreover, certificate lifespan policies are evolving:
– As of March 15, 2026: Maximum TLS certificate lifespan is reduced to 200 days.
– By 2029: This shrinks further to just 47 days.
Organizations—especially those in regulated industries—need robust automation and monitoring strategies to ensure frequent certificate renewals don’t interrupt integrations.
Finally, dual-use certificates (for both server and client authentication) are being deprecated by June 15, 2026. This shift necessitates separate certificates for mTLS client authentication, adding complexity for those relying on mutual TLS for secure API communications.
A recent conflict emerged between Salesforce’s updated authentication requirements and Microsoft Entra ID (Azure AD) behavior. As of February 3, 2026, Salesforce mandates the presence of either a valid SAML AuthnContext or an AMR (Authentication Method Reference) claim to meet their device trust standards. Entra ID currently sends a “unspecified” AuthnContext and non-recognized AMR, triggering unwanted device activation prompts and blocking seamless access.
The resolution window appears to be mid-February, when Entra ID AMR support is expected to align with Salesforce’s enforcement needs.
Starting in February 2026, Salesforce’s Spring ’26 release auto-enforces stronger security measures across OmniStudio, including object-level and field-level security, Apex class access restrictions, and secure query execution. Non-compliant components may break or fail silently. Administrators should preemptively enable necessary security flags, validate components, and conduct regression tests ahead of rollout.
In Spring ’26, Salesforce has removed the ability to include session IDs in outbound messages. Instead, OAuth must now be used for outbound authentication, aligning with modern security best practices and reducing the risk of session hijacking.
Spring ’26 brings enhancements to the Security Health Check feature. Admins can now review critical IAM settings—like MFA, SAML enablement, and session management—in one dashboard. More notably, the platform supports proactive email notifications when security posture shifts, such as a change in password policy or session timeout settings.
WithSecure’s Cloud Protection for Salesforce adds identity protection features, scanning for compromised credentials—including dark-web exposure—and alerting admins before threat actors can act.
Additionally, their Orion 2.6 release supports scanning and blocking of password-protected archives and newly registered domains in real-time—tactics often leveraged by phishing or malware campaigns.
Security updates aren’t merely technical; they have tangible ripple effects. For instance, Winter ’26 limits Salesforce standard Setup data exports to one file at a time, enforcing a minimum wait of ~60 seconds between downloads—transforming workflows like backup exports.
Quicker certificate rotations, stricter authentication checks, and heightened app regulation—Salesforce’s recent updates reflect a security-first shift that anticipates rising threats. While this means more complexity for admins and developers, it also offers clarity, stronger defaults, and greater control.
To stay ahead:
– Migrate to ECAs and remove old Connected Apps
– Update trust stores to include DigiCert G2
– Automate certificate renewals
– Collaborate with IdP providers to manage SSO transitions
– Run tests on OmniStudio and outbound integrations
– Leverage centralized health dashboards and identity scanning
– Train teams on new behaviors like rate-limited exports
Q: Why did Salesforce disable Connected App creation by default?
A: To reduce unauthorized integration risks; External Client Apps offer a safer, modular option and should be adopted instead.
Q: What happens if my systems don’t include the DigiCert Global Root G2?
A: APIs and browser access to Salesforce may fail or throw security warnings. Ensure your trust stores are updated immediately.
Q: How do I handle the shorter certificate lifespan?
A: Automate your certificate renewal process. With maximum lifespans now 200 days—and eventually shorter—it’s essential to avoid downtime.
Q: Why are my Entra ID SSO users being prompted for device activation?
A: Salesforce now requires valid AuthnContext or recognized AMR. Entra ID’s current claims aren’t recognized, causing prompts until Salesforce updates support around mid-February.
Q: What does Spring ’26’s enforcement of OmniStudio security mean?
A: Custom components must explicitly meet object, field, and Apex access rules or risk breaking. Validate and test ahead of release.
Q: How can I detect compromised credentials early?
A: WithSecure’s Cloud Protection adds identity breach scanning, alerting you if accounts are exposed on the dark web or via other breach intelligence feeds.
In the fast-moving world of cyber threats, today’s breaking news is that a cluster of…
Browser extensions can sneakily access your data, interfere with your browsing habits, and even expose…
Workflow automation tools are under increasing security scrutiny due to a surge in critical vulnerabilities—especially…
The Linux kernel has recently experienced a surge of critical vulnerabilities—ranging from race conditions and…
Rust is increasingly adopted by organizations focusing on secure software because its design inherently prevents…
Python security fixes patch high‑risk vulnerabilities by directly addressing critical flaws—such as arbitrary filesystem writes,…