Identity security in Salesforce guide: how to reduce breach risk

This guide explains how to strengthen identity security in Salesforce using Salesforce’s built-in controls, and how WithSecure Cloud Protection for Salesforce adds what Salesforce doesn’t cover: continuous awareness of credential exposure, helping detect compromised users before attackers exploit them.

Why identity security needs its own strategy in Salesforce

Most modern Salesforce intrusions don’t start with a software bug. They start with a valid access.
Attackers steal passwords, harvest OAuth tokens, or trick admins into installing trojanized admin tools. Then they act from inside by using legitimate API calls and UI actions that look normal at first. When attackers operate legitimately, detection slows and damage grows.

According to the 2025 Verizon Data Breach Investigations Report, credential compromise remains one of the top causes of cloud breaches, involved in 22% of incidents globally.

In Salesforce, that risk multiplies when partners, suppliers, and customers log in through community portals or integrated apps that sit outside corporate identity monitoring.

Traditional Salesforce controls cover how users log in, but do not monitor whether their credentials have already been stolen or reused. That’s the “silent weakness” attackers rely on. Credential compromise is in fact one of the top three attack vectors in breaches, according to IBM.

Case in point: you should treat identity as telemetry. That starts with visibility, in knowing who’s logging in, how tokens are used, and whether any credentials have surfaced in external breaches. Doing that turns user credentials from “silent failure points” into early-detection signals.

With that threat picture in mind, harden the Salesforce foundations first. Then layer more advanced monitoring, connected-app hygiene, and credential-exposure detection to close the blind spots attackers exploit.

1. Strengthen Salesforce-native identity foundations

Salesforce provides several built-in tools for authentication and access control. Configure them first to reduce the chance of unauthorized logins.

Multi-Factor Authentication (MFA)

MFA adds a second verification step beyond passwords. Salesforce supports an org-wide MFA enforcement option and an array of verification methods including authenticator apps and security keys. Enforce MFA either at the Salesforce level or centrally via your IdP for SSO. For Experience Cloud/community users, require SSO or configure MFA where feasible. Behavior depends on how those external users are managed.

Learn more in Salesforce’s Multi-Factor Authentication Overview and Org-Wide MFA Setting Guide.
Supported methods are listed in Verification Methods for MFA.

Single Sign-On (SSO) and identity providers

Integrate Salesforce with your corporate identity provider (IdP) to centralize authentication. Use SAML or OpenID Connect for secure federation.

Centralized policies make it easier to enforce password complexity, session limits, and lockout rules across cloud systems.

See the Salesforce Identity Overview for more details.

2. Secure Experience Cloud and external users

External and community users often follow different identity rules than employees. That increases risk.

These community users are often customers, partners, suppliers, and contractors that fall outside corporate identity and access management systems, including authentication. If their account credentials including passwords are recycled and exposed elsewhere – for example, in consumer platform breaches – attackers can reuse them to impersonate trusted partners or customers inside Salesforce. There may also be less vigilance from individuals when it comes to user accounts other than the primary corporate one they use for work.

To minimize risk you should give external users minimal roles and permissions. Disable self-registration if unused. Apply MFA if feasible. Deactivate orphaned or inactive accounts regularly. Monitor for credential breaches (more about this in #5 below).

Guidance: Manage External Users and Give External Users Access to Manage Other Accounts.

External accounts extend your identity boundary beyond your company. When attackers target those identities, they’re already inside your trusted ecosystem.

3. Monitor and investigate with Event Monitoring

Even with MFA and SSO, identity threats can bypass configuration-based defenses.
Event Monitoring shows what happens after login — across user behavior, API usage, and data exports.

Watch for:

• Logins from new geographies
• Large or unexpected data exports
• Abnormal API usage or failed MFA attempts

Enable real-time Event Monitoring/Shield and stream those events to your SIEM for correlation and alerting.

Monitoring turns authentication from a static control into continuous intelligence you can act on.

Guidance: Event Monitoring Overview and Enable Access to Event Monitoring.

4. Manage connected identities and integration users

Integration accounts typically authenticate via OAuth, or API tokens rather than interactive UI MFA. Secure these accounts by using unique integration users, limiting OAuth scopes, enforcing token lifetimes and refresh-token rotation, and requiring admin approval for connected apps.

Give each integration its own Salesforce user account. Apply least-privilege permissions using profiles and permission sets.
Enforce token expiry and revoke tokens when integrations are retired.
Require admin review before approving new connected apps and limit OAuth scopes to what’s essential.

Salesforce references: API Access Control for All Users.
For more practical context, see How to Secure Connected Apps and OAuth Connections in Salesforce.

Compromised integration users can silently move data between systems. Securing them preserves trust across your Salesforce ecosystem.

5. Go beyond configuration: detect exposed credentials early

Your Salesforce security tools can’t see whether a user’s email and password have been exposed in third-party breaches, but attackers can.

In Salesforce, a single compromised login can open access to customer data, business processes, and integrated systems.

WithSecure Cloud Protection for Salesforce brings early warning to that risk with Identity Protection capability.

Identity Protection monitors internal and community Salesforce users against global breach intelligence feeds, detecting newly exposed credentials before attackers reuse them.

Scans run automatically, flagging at-risk accounts and logging every detection for audit and compliance reporting.

This adds a threat intelligence driven layer to Salesforce’s authentication framework, providing continuous awareness of credential exposure and identity risk.

Why it matters: table stakes like MFA and password policies protect the platform.
Identity Protection protects your business from credential-based fraud, impersonation, and supply-chain abuse; a cascade that can start with a single compromised user account.

Practical identity hardening checklist for Salesforce

Some of these actions are table stakes — others go a step further. Attackers are moving quickly, using valid credentials, hijacked tokens, and automation to exploit trust inside Salesforce.

Security controls need to keep pace.

This checklist combines the essentials every Salesforce environment should have in place with measures that prepare you for where the threat landscape is headed.

Authentication and access controls

• Enforce MFA for all login paths, including employees, partners, and community users.
• Centralize authentication with SSO and a trusted identity provider.
• Configure Login IP Ranges and session policies to limit access from unfamiliar networks.
• Regularly audit permission sets and remove unnecessary admin rights.

External and community users

• Review all Experience Cloud and partner accounts.
• Disable unused self-registration and deactivate orphaned or inactive users.
• Apply MFA to external accounts wherever feasible.

Connected apps and integrations

• Require admin review before approving any new connected app.
• Assign a unique integration user for each app with least-privilege permissions.
• Limit OAuth scopes and enforce token expiry or revocation when apps are retired.
• Maintain an up-to-date inventory of connected apps, integration users, and active tokens.
• Establish a clear process for token or app revocation when suspicious activity is detected.

Monitoring and response

• Use Salesforce Event Monitoring to detect unusual login, export, or API activity.
• Integrate Event Monitoring with your SIEM or SOC for alerting and analysis.
• Log detections and admin actions to maintain a verifiable audit trail for compliance.
• After any incident, review permissions, connected apps, and integration tokens.

Credential exposure detection

• Enable continuous credential-exposure scanning with WithSecure Identity Protection to detect compromised user accounts early.

Identity = trust

Every login in Salesforce is a moment of trust. Securing that trust takes visibility, discipline, and continuous attention.

You can’t stop every breach that may involve your Salesforce users’ credentials on the internet, but you can control whether those breached credentials still work in your Salesforce org.

Explore how WithSecure Cloud Protection for Salesforce helps you detect exposed credentials before attackers act.