What is the most important tip for working with Expire All Passwords?

Integration users with password-based authentication are blocked until manually reset. Audit credentials before executing; surprise integration outages are the most common embarrassing side effect.

AdministrationAdvanced

Expire All Passwords

Q: What is the primary benefit of Expire All Passwords for Salesforce administrators?

Expire All Passwords is an administration feature that empowers admins to manage the Salesforce environment through declarative, point-and-click configuration.

Q: Why is understanding Expire All Passwords important for Salesforce admins?

Administration features like Expire All Passwords are fundamental to maintaining a healthy, secure, and efficient Salesforce org on an ongoing basis.

Q: Can a Salesforce admin configure Expire All Passwords without writing code?

Expire All Passwords is a declarative admin feature, meaning it can be configured through Salesforce's point-and-click interface without writing any code.

Expire All Passwords is a one-click Salesforce administrative action that invalidates the existing password for every user in the org, forcing each user to set a new password on their next login.

Hear it

§ 01

Definition

Expire All Passwords is a one-click Salesforce administrative action that invalidates the existing password for every user in the org, forcing each user to set a new password on their next login. The action is irreversible once executed: there is no undo, no per-user exemption applied retroactively, and no way to recover the prior passwords. It is one of the most consequential single actions an administrator can take in Salesforce, used almost exclusively during security incidents (suspected credential compromise) or major password-policy resets (a forced rotation after a policy change).

The action lives under Setup > Users > Expire All Passwords. It applies to every user in the org including system admins, sandbox users, and integration users with standard logins. Users with single sign-on configured continue to authenticate through their SSO provider; only users who log in with a Salesforce username and password are affected. The platform records the action in the Setup Audit Trail with the executing administrator's name, providing an incident response record.

§ 02

When and how to use Expire All Passwords

When to use this action

Expire All Passwords is reserved for two scenarios. First: a security incident where credentials may have been compromised. A confirmed phishing attack, a leaked credential dump, or evidence of unauthorized access calls for global expiration as part of containment. Second: a forced policy reset, often after enabling a stronger password policy (longer length, more complexity) and requiring all users to set passwords meeting the new rules. Outside these scenarios, the operational disruption is rarely worth the action.

Impact on SSO users

Users authenticated through SAML SSO, Social Sign-On, or other federated identity providers are unaffected by Expire All Passwords. The action only invalidates the Salesforce-stored password, which SSO users do not use. However, if SSO breaks for any reason and users fall back to password login, they will hit the expired password and need to reset. Plan SSO health checks before executing this action so SSO users do not get stranded.

Impact on integration users

Integration users that authenticate with username and password (the legacy pattern before OAuth and Connected Apps) are blocked by this action until someone manually sets a new password. This breaks every integration using that pattern: ETL jobs, middleware connectors, custom API clients. Modern integrations using OAuth or JWT bypass the password entirely and are unaffected. Audit integration credentials before executing; surprise integration outages caused by this action are common and embarrassing.

The user experience after expiration

On next login, each affected user is redirected to the password-change page. They cannot access any Salesforce data until they set a new password meeting the current password policy. The reset uses the standard password recovery flow, which means the email associated with the user must be reachable. Users with stale email addresses on their User record cannot complete the reset without admin intervention.

Audit trail and accountability

The Setup Audit Trail captures the action with timestamp and executing user. This is the only durable record; the action does not produce a per-user audit entry. For incident response purposes, capture screenshots of the audit trail immediately after the action so the record is preserved in case the trail's retention window expires. Compliance auditors expect to see who triggered global expirations and why.

Alternatives for targeted resets

For most situations, expiring all passwords is too coarse. Alternatives include: reset individual passwords through the User detail page (Reset Password button) for known-compromised accounts, expire passwords for a specific profile through a SOQL update or Data Loader against the User object (set ForcePasswordChange = true), or use a permission set to require multi-factor authentication. The lighter-touch options solve most real-world scenarios without disrupting the entire org.

Communicating the action

Pre-communication is critical. Without a clear announcement, hundreds of users hit the password-change screen on their first login and assume the org has been hacked. The communication should state the action is admin-initiated, explain the reset process, point users to the IT help desk for problems, and note any integration impact. Send the message at least 24 hours before executing for non-emergency resets; for emergency security responses, send immediately as part of the broader incident communication.

§ 03

Execute Expire All Passwords safely

Executing Expire All Passwords is a serious action with broad organizational impact. The steps below describe the safe execution path for an incident-response scenario, with the audit and communication work that needs to happen alongside the click.

Confirm the scenario justifies the action
Verify with security and incident response that a global expiration is needed. For most cases, a targeted reset on the affected user is sufficient and far less disruptive.
Audit integration credentials
List every integration using username and password authentication against the org. Plan a credential reset for each immediately after the global expiration; integrations will break until reset.
Verify SSO health
Confirm SAML SSO, social login, and any other federated paths are working. Test from a non-admin account. Broken SSO combined with expired passwords leaves users locked out.
Pre-communicate to the org
Send an email or Slack notification explaining the planned action, the reset process, and the expected timeline. For emergencies, send during the action as part of the incident announcement.
Execute the action
Setup > Users > Expire All Passwords. Read the confirmation message; click to confirm. The action processes within minutes.
Verify in Setup Audit Trail
Open Setup Audit Trail and confirm the action is logged with your name and timestamp. Capture a screenshot.
Reset integration credentials
For each integration audited in step 2, manually set a new password and update the integration configuration with the new credential. Test each integration end-to-end before declaring complete.

Key options

Expire All Passwords actionremember

The one-click global action. Setup > Users > Expire All Passwords.

ForcePasswordChange (per-user)remember

Field on the User object. Set to true to force a specific user to reset on next login. The targeted alternative.

Reset Password (per-user button)remember

Button on the User detail page. Immediately resets the user's password and emails them the reset link.

Password Policy expirationremember

Org setting that automatically expires passwords on a schedule (90 days, 180 days). The non-emergency way to enforce regular rotation.

Mass User Updateremember

Update User.ForcePasswordChange = true for a filtered subset (specific profile) via Data Loader. The targeted-by-profile alternative.

Gotchas

Integration users with password-based auth break immediately. Audit before executing and plan credential resets for every such integration.
Users with stale email on the User record cannot complete the reset. Verify email validity for at least the critical user population before executing.
The action is irreversible. There is no undo and no way to roll back. Confirm the decision before clicking.
The Setup Audit Trail captures the action only at the org level, not per user. The trail does not show which users actually reset; pair with login history for that view.
Hitting the password-change screen looks like a phishing attack to many users. Without pre-communication, the help desk sees a wave of "I think we got hacked" tickets.

Was this entry helpful?

Help us write better definitions. Quick reactions or detailed edit suggestions.

About the Author

Dipojjal Chakrabarti is a B2C Solution Architect with 29 Salesforce certifications and over 13 years in the Salesforce ecosystem. He runs salesforcedictionary.com to help admins, developers, architects, and cert/interview candidates sharpen their fundamentals. More about Dipojjal.

Test your knowledge

Q1. What is the primary benefit of Expire All Passwords for Salesforce administrators?

Q2. Why is understanding Expire All Passwords important for Salesforce admins?

Q3. Can a Salesforce admin configure Expire All Passwords without writing code?

Discussion

Loading…

Loading discussion…

Back to Dictionary