Salesforce Summer ’26 Release Date – Impact on Your Workflows

Salesforce Summer ’26 reaches production orgs on June 5, June 12, and June 13, 2026. One of the most important changes for admins is Step-Up Authentication for reports. This update adds an extra MFA verification step when users access report data, making it essential to review security settings and user readiness before enforcement starts.

Salesforce is rolling out Summer ’26 to production environments on June 5, June 12, and June 13, 2026. The exact date depends on your Salesforce instance.

To find your release date, enter your instance name in Salesforce Trust. The site lists scheduled maintenance and upgrade windows for every instance.

If Summer ’26 has not reached your environment yet, Salesforce Trust will indicate whether your instance is scheduled for the June 12 or June 13 release.

Summer ’26 includes many new features, but five security updates require admin attention. This section provides a brief overview. The next section covers step-up authentication for reports in detail.

Salesforce’s step-up authentication framework requires users to verify their identity before accessing report or dashboard data, even if they are already signed in and have completed MFA.

The requirement applies to data access, not just downloads or exports.

According to Salesforce’s Prepare for Step-Up Authentication on Report Actions article, “The step-up challenge is triggered when a user accesses, runs, or views reports and dashboards, rather than waiting for them to click a ‘Download’ or ‘Export’ button.”

Users may encounter a step-up authentication challenge when they:

The requirement addresses risks such as screen scraping and browser-based data capture.

Salesforce uses the Step-Up Authentication Period (Minutes) setting to determine how long a completed verification remains valid.

Admins can set the value between 1 and 120 minutes. The default value is 120 minutes.

With the default setting:

MFA at login does not reset this timer. Salesforce treats report and dashboard access as a separate verification event.

Users can complete the challenge using:

Users who have not registered a Salesforce MFA method can verify their identity with a one-time passcode (OTP) sent by email or SMS.

Step-up authentication applies to all Salesforce users, including users who authenticate through Single Sign-On (SSO).

If an SSO user has not registered with Salesforce MFA, Salesforce sends a one-time passcode (OTP) by email or SMS.

Trusted IP ranges and corporate networks do not exempt users from the requirement. Salesforce can still require verification when the configured authentication period expires.

The framework is enabled by default.

The cool-down period controls how long users can access Reports and Dashboards after completing step-up authentication.

Go to:

Setup → Identity Verification →Reports and Dashboards ->Select “Require step-up authentication” from drop down:

Set the setup authentication period to a value between 1 to 120 minutes based on how your teams use reports -> Save

Sales Teams: Sales users often open reports and dashboards multiple times throughout the day. The default 120-minute setting reduces repeated MFA prompts and keeps reporting workflows uninterrupted.

Finance Teams: Finance teams typically access reports during scheduled review periods. A shorter period usually works well because report access is less frequent and often involves sensitive financial data.

Operations and BI Teams: Operations and BI teams may run large exports or multiple reports during a single session. Schedule these activities within one MFA window to avoid repeated authentication requests.

One thing to keep in mind: set the window too low, and you’ll annoy report-heavy teams with constant re-authentication. Set it too high, and the control stops doing its job. Tie the value to how often your team actually runs reports, not to either extreme.

Salesforce’s new step-up authentication requirement impacts UI-based and API-based data extraction differently.

UI-based extraction involves accessing data through the Salesforce interface, such as running or exporting reports. API-based extraction uses Salesforce APIs, including REST, SOAP, Bulk, and Analytics APIs.

This distinction is important because step-up authentication applies only to report and dashboard activity in the Salesforce UI. According to Salesforce, this change helps prevent “data theft via UI-based screen scraping or browser-based data capture.”

What this means:

Teams that extract Salesforce data through APIs can continue using their current workflows. This includes integrations using SOQL queries, the Analytics API with OAuth, connected apps, and other API-based methods.

For admins seeking alternatives to report exports, SOQL queries are the standard method for API-based data extraction. SOQL enables direct retrieval of Salesforce data through authenticated API connections. Tools such as XL-Connector and G-Connector allow admins to run SOQL queries from Excel or Google Sheets.

External tools that pull report data through the UI export endpoint will be affected by step-up authentication. Tools that use the Analytics API or SOQL queries with OAuth will continue to work without additional authentication prompts.

Use this checklist to prepare your Salesforce org for upcoming security and authentication changes.

Review users with the System Administrator profile or permissions such as Modify All Data, View All Data, Customize Application, and Author Apex. Ensure they enroll in a phishing-resistant MFA method, such as a passkey, Windows Hello, Touch ID, or a security key.

Verify that all users have an approved MFA method enrolled. Address enrollment gaps before enforcement begins.

Test report access and export workflows after May 27. Sandboxes receive the feature before production, giving you time to identify issues before the June 10 rollout.

Go to Setup → Identity Verification and set an authentication period based on how often users run or export reports. This helps reduce unnecessary verification prompts.

Notify users about the new report authentication requirements, especially those who run reports regularly. Early communication helps reduce confusion and support requests.

Identify integrations that still rely on the SOAP login() API. Plan a move to OAuth 2.0 or Named Credentials to maintain compatibility with future Salesforce releases.

Identify connected apps that use the OAuth 2.0 username-password flow. Salesforce plans to retire this flow in Winter ’27, so start evaluating alternative authentication methods.

Update documentation for MFA enrollment, passkey setup, identity verification, and report access procedures. Clear guidance helps users complete setup with fewer issues.

Before Summer ’26 reaches your org, take a few minutes to review how users and integrations access Salesforce.

Built-in authenticators, including Windows Hello, Touch ID, and Face ID, are specific to each device. If you access Salesforce from multiple devices, you must register the authenticator on each device or use an alternative multi-factor authentication (MFA) method, such as Salesforce Authenticator, a time-based one-time password (TOTP) application, or a hardware security key.

For detailed instructions on replacing or switching devices, refer to Salesforce’s Manage Built-in Authenticators When Switching Devices article.

Register at least two MFA methods for each user to minimize the risk of account lockout if a device is lost, replaced, or unavailable.

For administrator accounts, maintain a separate emergency administrator account with a distinct MFA method stored independently. This ensures access during account recovery or other emergency situations.

Maybe. Salesforce checks information from your identity provider to determine whether an SSO login meets its MFA requirements. If it doesn’t, users may be prompted for MFA in Salesforce after signing in.

If you use SSO, review Salesforce’s Prepare for MFA Enforcement for All Employee Users and then confirm that your identity provider is configured correctly.

Salesforce Summer ’26 brings a few new features, but the biggest change for admins is stronger security. The key date is June 10, 2026, when Salesforce enforces Step-Up Authentication for reports in production.

Your job is to make the change smooth for users. The report authentication period is the main setting to adjust to reduce unnecessary MFA prompts while keeping report data secure.

Test the new authentication flow in a preview sandbox. Let users know what to expect. Review integration accounts to confirm they are API-only. A little preparation now can prevent access issues later.