Free Salesforce Admin Tutorial >

Chapter 7 - Data Security >

Restrict Login Access by IP Address in Salesforce

Restrict Login Access by IP Address in Salesforce

What You’ll Learn

S2 Labs

If you run a Salesforce org, you must be concerned about the security of your platform. Salesforce provides features that allow you to easily control login access at the user level. You can specify a range of allowed IP addresses on a user’s profile.

This setting prevents unauthorized users from accessing your Salesforce org. A login from any other IP address is denied when you define IP address restrictions for a profile. Take a look at how you can activate this feature.

Restrict Login Access By IP Address

By default, Salesforce doesn’t restrict the location for login access. However, administrators can restrict login access by IP address for added security. Administrators can specify an IP address range for the entire organization and specific user profiles. Still, the behavior is very different for each option.

If the login IP range is set at:

  1. Organization Level: Users who log in outside the IP range (which is set) are shown a login challenge. If they complete the challenge question, login access is granted by entering an activation code sent to their mobile device or email address. This method only allows partial access for users outside of the IP range (which is set). Here, the set IP range is called the “trusted” IP range.
  1. Profile Level: Users outside the permitted IP range (which is set) are consistently denied access.

How to Restrict IP Address in Salesforce?

To restrict a particular IP address from accessing Salesforce.org, you can follow the steps given below: 

  1. From Setup, in the Quick Find box, enter Profiles, and then select Profiles.
  1. Depending on which user interface you’re using, do one of the following:
    1. In the enhanced profile user interface, click Login IP Ranges and Add IP ranges.
    2. In the original profile user interface, scroll down to the Login IP Ranges related list and click New.
  1. Specify allowed IP addresses for the profile. Enter a valid IP address in the IP Start Address field and a higher-numbered IP address in the IP End Address field. Enter the same address in both fields to allow logins from a single IP address.

Note: The IP addresses in a range must be IPv4 or IPv6. In ranges, IPv4 addresses exist in the IPv4-mapped IPv6 address space ::ffff:0:0 to ::ffff:ffff:ffff, where ::ffff:0:0 is and ::ffff:ffff:ffff is A range can’t include IP addresses both inside and outside of the IPv4-mapped IPv6 address space. Ranges like to ::1:0:0:0 or :: to ::1:0:0:0 aren’t allowed.

  1. Optionally enter a description for the range. If you maintain multiple ranges, use the Description field to provide details, such as which part of your network corresponds to this range.
  2. Click Save.
Restrict Login Access step last

To restrict access to only those IPs in Login IP Ranges in Salesforce, in Setup, in the Quick Find box, enter Session Settings, and then select Session Settings. Select Enforce login IP ranges on every request. This option affects all user profiles that have login IP restrictions.

This was all about restriction features for IP addresses in Salesforce.org and how to implement them.


Download Study Material

Get access to exclusive study material for Salesforce Certification and ace your exams!

Download Now

Our Salesforce Certification Courses

Hey there! Glad you made it through our Salesforce Developer Training for beginners . But wait! We've got some high-in-demand Salesforce courses for you to take your Salesforce skills to the next level, making you a desired professional in the Salesforce job market.

Post a Comment

Your email address will not be published. Required fields are marked *