Network Access defines IP ranges from which logins are trusted (no MFA prompt) versus all other IPs (MFA required even after entering correct credentials). It's a coarse-grained security control — useful for marking a corporate office as trusted while requiring MFA from home.
- Open Setup → Network Access
Setup gear → Quick Find: Network Access → Network Access.
- Click New
Top-right of the list.
- Set Start IP Address and End IP Address
Inclusive range — e.g. 192.168.1.0 to 192.168.1.255 covers a /24 subnet. For a single IP, set Start = End.
- Set Description
What network this is — "NYC Office," "VPN Pool," "AWS Bastion."
- Save
The IP range is now Trusted. Logins from these IPs skip MFA prompt (assuming MFA is the only condition).
- Combine with Login IP Ranges per profile for stricter control
Setup → Profile → Login IP Ranges → narrow further per profile if needed. Network Access (org-wide) + Profile Login IP Ranges = layered security.
Inclusive range. /24 subnet = 256 IPs.
Plain-text label. Helps when reviewing later.
Per-profile additional restriction. Setup → Profile → Login IP Ranges.
- Trusted IP Ranges skip MFA but DON'T skip authentication. Users still enter their password — MFA is the second factor that's bypassed.
- Profile Login IP Ranges are stricter than org Network Access. A profile with no Login IP Ranges allows logins from any IP (subject to other policies); a profile with Login IP Ranges blocks logins outside those ranges entirely.
- VPN exit IPs change. If your team works remote, the VPN's IP pool needs to be in Network Access — coordinate with the network team to keep the list current.