Definition
Network Access is a Setup page where administrators define trusted IP ranges that bypass identity verification challenges. When users log in from a trusted IP range, they are not prompted for additional verification steps like email codes or Salesforce Authenticator, simplifying the login experience from known corporate networks.
Real-World Example
The admin at FinServe Bank adds the company's corporate office IP range (10.0.0.0 to 10.0.255.255) and VPN IP range to Network Access. Employees logging in from these trusted networks are not challenged with MFA verification codes, while anyone logging in from an unknown IP address must complete identity verification.
Why Network Access Matters
Network Access is a Setup feature where Salesforce administrators define trusted IP ranges for their org. When a user logs in from an IP address within a trusted range, Salesforce skips the identity verification challenge — such as an emailed verification code or Salesforce Authenticator prompt — that would normally occur from an unrecognized location. This is separate from login IP restrictions on profiles, which block access entirely from outside specified ranges. Network Access trusted IPs simply bypass the additional verification step, making the login experience smoother from known corporate networks.
As organizations adopt hybrid and remote work models, Network Access configuration requires careful balancing between security and user experience. Overly broad trusted IP ranges can weaken security by letting attackers who compromise credentials log in without additional verification. Too narrow ranges frustrate legitimate employees who work from home or travel. Organizations that maintain their Network Access list in sync with their VPN infrastructure and office network changes avoid both security gaps and help desk tickets. Regular audits of trusted IP ranges — especially after office moves, ISP changes, or VPN reconfigurations — are essential for keeping this feature effective.
How Organizations Use Network Access
- FinServe National Bank — FinServe adds their corporate headquarters and three branch office IP ranges to Network Access. Employees at these locations log in smoothly without verification codes. When the compliance team audits the configuration quarterly, they confirm that all listed IP ranges correspond to current corporate-owned networks and that the VPN range is narrowly scoped to company-managed VPN exit nodes.
- NovaTech Remote-First — NovaTech is a remote-first company with no physical offices. They add only their corporate VPN IP range to Network Access. Employees must connect to VPN before accessing Salesforce to skip the identity challenge. When a developer accidentally logs in from a coffee shop without VPN, they receive a verification code via email — an intentional security layer for untrusted networks.
- Crestline Healthcare — Crestline's admin adds their hospital network IP range to Network Access but deliberately excludes the guest Wi-Fi subnet. Clinicians accessing Salesforce Health Cloud from hospital workstations log in seamlessly, while anyone connecting from the guest network receives an identity verification challenge, preventing unauthorized access from visitors using the facility's open network.