Network Access
Network Access is a Setup page where administrators define trusted IP ranges that bypass identity verification challenges.
Definition
Network Access is a Setup page where administrators define trusted IP ranges that bypass identity verification challenges. When users log in from a trusted IP range, they are not prompted for additional verification steps like email codes or Salesforce Authenticator, simplifying the login experience from known corporate networks.
In plain English
“Here's a simple way to think about it: Network Access defines which IPs your org considers trusted. Inside trusted ranges, login is friction-free; outside, identity verification still applies. Match ranges to your real network topology.”
Worked example
The admin at FinServe Bank adds the company's corporate office IP range (10.0.0.0 to 10.0.255.255) and VPN IP range to Network Access. Employees logging in from these trusted networks are not challenged with MFA verification codes, while anyone logging in from an unknown IP address must complete identity verification.
Why Network Access defines which IPs your org considers trusted
Salesforce's default identity verification challenges users when they log in from a new IP address - an SMS code, an email link, an authenticator prompt. Network Access is the page that lets you mark specific IP ranges as trusted, suppressing those challenges for users coming from your corporate office, your VPN exit nodes, your data center networks. Inside the trusted ranges, login is friction-free; outside them, the standard verification stack still applies.
The reason it's worth getting right is that the wrong configuration cuts both ways. Too narrow and remote employees get challenged constantly; too wide and you've effectively disabled identity verification for entire ISP ranges. Match the ranges to your real network topology - the corporate VPN, the office NAT pool, partner-network egress IPs - and tighten them as remote work makes the office a less meaningful concept.
How to set up Network Access
Network Access defines IP ranges from which logins are trusted (no MFA prompt) versus all other IPs (MFA required even after entering correct credentials). It's a coarse-grained security control — useful for marking a corporate office as trusted while requiring MFA from home.
- Open Setup → Network Access
Setup gear → Quick Find: Network Access → Network Access.
- Click New
Top-right of the list.
- Set Start IP Address and End IP Address
Inclusive range — e.g. 192.168.1.0 to 192.168.1.255 covers a /24 subnet. For a single IP, set Start = End.
- Set Description
What network this is — "NYC Office," "VPN Pool," "AWS Bastion."
- Save
The IP range is now Trusted. Logins from these IPs skip MFA prompt (assuming MFA is the only condition).
- Combine with Login IP Ranges per profile for stricter control
Setup → Profile → Login IP Ranges → narrow further per profile if needed. Network Access (org-wide) + Profile Login IP Ranges = layered security.
Inclusive range. /24 subnet = 256 IPs.
Plain-text label. Helps when reviewing later.
Per-profile additional restriction. Setup → Profile → Login IP Ranges.
- Trusted IP Ranges skip MFA but DON'T skip authentication. Users still enter their password — MFA is the second factor that's bypassed.
- Profile Login IP Ranges are stricter than org Network Access. A profile with no Login IP Ranges allows logins from any IP (subject to other policies); a profile with Login IP Ranges blocks logins outside those ranges entirely.
- VPN exit IPs change. If your team works remote, the VPN's IP pool needs to be in Network Access — coordinate with the network team to keep the list current.
How organizations use Network Access
Configured trusted ranges for corporate VPN exit points; office-bound users stop getting daily MFA challenges without compromising remote security.
Plant-floor IP ranges added as trusted; shop-floor users on shared kiosks have a streamlined login experience.
Test your knowledge
Q1. Why is understanding Network Access important for Salesforce admins?
Q2. Can a Salesforce admin configure Network Access without writing code?
Q3. What is the primary benefit of Network Access for Salesforce administrators?
Discussion
Loading discussion…