User Management Settings configure org-wide policies for User accounts — username format, lockout durations, MFA enforcement defaults. The page is small but the toggles affect every User in the org.

Open Setup → User Management Settings
Setup gear → Quick Find: User Management → User Management Settings.
Configure Username Format
Optional org-wide convention. Most orgs use email-based usernames; some use shorter formats.
Set Default Locking and Lockout Duration
How many failed login attempts trigger lockout. How long the lockout lasts before auto-unlock.
Configure MFA enforcement
Whether MFA is required org-wide or per-profile. Salesforce contractually requires MFA for admin profiles since 2022.
Save
Settings apply to all User accounts.

Key options

Lockout Thresholdremember

Number of failed login attempts before lockout. Default 10.

Lockout Durationremember

How long the lockout lasts. Default 15 minutes; configurable up to 24 hours.

MFA Enforcementremember

Org-wide vs per-profile. Per-profile is more flexible.

Username Conventionremember

Format guidance for new Users.

Gotchas

Username format is a convention, not enforcement. Salesforce doesn't validate format on User creation — admins can create non-conforming usernames.
Lockout Duration above 24 hours requires admin intervention to unlock. Plan a lockout-help process before going strict.
MFA enforcement is contractually required for admins. Don't disable on admin profiles — non-compliance can affect your contract.

How to set up User Management Settings in Salesforce

See the full User Management Settings entry