When you restrict login access by IP address, you define a list of approved IP addresses (or IP ranges) from which users are permitted to log in to your system. Any login attempt from an IP address that falls outside your approved range is either challenged or blocked outright.
In Salesforce, this is implemented through Login IP Ranges — a security feature available at both the Organization level (via Trusted IP Ranges) and the Profile level (via Profile Login IP Ranges). Together, these controls give Salesforce administrators granular power over who can log in and from where.
Think of it this way: your Salesforce org is a building, and IP address restrictions are the keycard access system that decides which doors certain people can walk through — and from which entrances.
2. Why You Should Restrict Login Access by IP Address
Salesforce stores sensitive business data — customer records, financial information, sales pipelines, and more. Without login IP restrictions, any user with valid credentials can log in from anywhere in the world, including potentially compromised locations.
Here’s why restricting login access by IP address is critical:
- Prevents unauthorized remote access — Even if a password is stolen, an attacker outside your trusted IP range cannot log in.
- Reduces insider threats — Employees can be limited to accessing Salesforce only from approved office networks or VPNs.
- Meets compliance requirements — Industries like healthcare, finance, and government often require network-level access controls for regulatory compliance (HIPAA, PCI-DSS, SOC 2, etc.).
- Provides an extra layer beyond MFA — Multi-factor authentication is great, but IP restrictions add a network-level barrier that’s independent of user credentials.
- Reduces attack surface — Limits the geographic and network scope of potential attacks significantly.
By default, Salesforce does not restrict login by location. That means the moment your admin account credentials leak, anyone, anywhere, can attempt to log in. Restricting login access by IP address closes this gap immediately.
3. Organization Level vs. Profile Level IP Restriction
Salesforce lets you restrict login access by IP address at two distinct levels. Understanding the difference is essential before you configure anything.
Organization-Level: Trusted IP Ranges
When you set Trusted IP Ranges at the organization level, you’re telling Salesforce: “These are the IP addresses we consider safe.” However, users logging in from outside these trusted ranges are not automatically blocked — instead, they are presented with a login challenge.
The login challenge requires the user to verify their identity using an activation code sent to their registered email or mobile number. Once verified, access is granted. This is a softer restriction — it provides an additional verification step rather than a hard block.
Best for: Adding a verification layer for all users across the org without blocking access entirely.
Profile-Level: Login IP Ranges
When you define Login IP Ranges on a Profile, the behavior is much stricter. Users assigned to that profile who attempt to log in from an IP address outside the defined range are consistently denied access — full stop. No challenge, no bypass.
Best for: High-security profiles such as System Administrators, API-only users, or integration users who should only ever log in from specific, known locations.
| Feature | Organization-Level (Trusted IP) | Profile-Level (Login IP Ranges) |
|---|---|---|
| Configuration Location | Setup → Network Access | Setup → Profiles → Login IP Ranges |
| Behavior Outside Range | Login challenge (email/SMS code) | Access completely denied |
| Granularity | Applies to entire org | Applies per Profile |
| Override Possible? | Yes, via verification | No |
| Recommended For | General org-wide safety net | High-security or sensitive profiles |
4. How to Restrict Login Access by IP Address in Salesforce (Step-by-Step)
Method 1: Profile-Level Login IP Ranges
This method gives you the strictest control. Follow these steps:
Step 1: Log in to your Salesforce org as an Administrator.
Step 2: Go to Setup. In the Quick Find box, type Profiles and select Profiles from the results.
Step 3: Click on the Profile you want to restrict (e.g., “Standard User”, “System Administrator”).
Step 4: Depending on your interface:
- Enhanced Profile UI: Click Login IP Ranges, then click Add IP Ranges.
- Original Profile UI: Scroll down to the Login IP Ranges related list and click New.
Step 5: Fill in the IP range details:
- IP Start Address — Enter the lowest IP address in the range you want to allow.
- IP End Address — Enter the highest IP address in the range.
- To allow only a single IP address, enter the same address in both fields.
- Optionally, add a Description to identify the range (e.g., “HQ Office Network”, “VPN Range”).
Step 6: Click Save.
Repeat this process for each IP range you need to add. You can add multiple ranges to a single profile.
Important: Once Login IP Ranges are set on a profile, any user with that profile who logs in from an IP outside those ranges will be denied access immediately. Make sure you include all legitimate access points (offices, VPNs, remote work IPs) before saving.
Method 2: Organization-Level Trusted IP Ranges
This method adds a verification layer for the whole organization.
Step 1: Go to Setup.
Step 2: In the Quick Find box, enter Network Access and select Network Access.
Step 3: Click New.
Step 4: Enter the Start IP Address and End IP Address for the trusted range.
Step 5: Add an optional description and click Save.
Users logging in from these trusted IP addresses will not be asked for an additional identity verification. Users logging in from outside these ranges will be prompted with a verification challenge.
5. Enforce Login IP Ranges on Every Request
By default, Salesforce only checks login IP ranges when a user first logs in. This means a user who logs in from a trusted IP and then switches networks during their session could potentially continue using Salesforce.
To lock this down completely:
Step 1: Go to Setup.
Step 2: In the Quick Find box, enter Session Settings and select Session Settings.
Step 3: Check the box for “Enforce login IP ranges on every request”.
Step 4: Click Save.
With this setting enabled, Salesforce validates the user’s IP address on every single request — not just at login. If a user’s IP changes mid-session to an address outside the allowed range, they are immediately logged out. This is highly recommended for organizations with strict security postures.
6. IPv4 vs IPv6: What You Need to Know
When configuring Login IP Ranges, Salesforce supports both IPv4 and IPv6 addresses. However, there is an important constraint to be aware of:
- All IP addresses within a single range must be either IPv4 or IPv6 — you cannot mix them in one range.
- IPv4 addresses exist within the IPv4-mapped IPv6 address space:
::ffff:0:0to::ffff:ffff:ffff(which corresponds to0.0.0.0to255.255.255.255). - A range cannot span across the IPv4-mapped IPv6 space and other IPv6 address spaces.
If your organization uses both IPv4 and IPv6 addresses (which is increasingly common with modern networks), create separate IP range entries for each protocol.
7. Common Mistakes to Avoid
Even experienced Salesforce admins can make errors when setting up IP restrictions. Watch out for these:
Locking yourself out: If you apply IP restrictions to the System Administrator profile and your current IP isn’t in the allowed range, you’ll lose access. Always test from an included IP or use a backup admin account.
Not accounting for dynamic IPs: Some offices use dynamic IP addresses that change periodically. Work with your IT team to either set up static IPs or use a broad enough range to cover the DHCP pool.
Overlapping ranges causing confusion: Maintain clear descriptions for each IP range entry so future admins understand what each range covers.
Applying restrictions to all profiles simultaneously: Roll out IP restrictions gradually, starting with your most critical or highest-privilege profiles, and verify everything works before expanding to all profiles.
8. Best Practices for IP-Based Login Restrictions
To get the most out of your IP-based login restrictions in Salesforce, follow these proven best practices:
Combine IP restrictions with Login Hours. Salesforce also allows you to restrict login access by time (Login Hours). Combining IP restrictions with time-based restrictions dramatically reduces your attack window.
Document all your IP ranges. Use the Description field and maintain an external record (spreadsheet or IT documentation) of which IP ranges are authorized and why.
Review IP ranges regularly. Business changes — office moves, new vendors, updated VPNs — mean your IP allowlists need periodic review. Schedule a quarterly audit.
Enable “Enforce login IP ranges on every request.” As described above, this prevents session hijacking via IP changes and is a strong security upgrade.
Test before going live. Always test your IP range settings with a non-admin test user account before applying them broadly. Confirm that allowed IPs work and disallowed IPs are blocked as expected.
9. Restrict Login Access by IP Address — FAQs
Q: What happens if a user tries to log in from a blocked IP address? At the Profile level, they receive an error and cannot log in at all. At the Organization level (Trusted IP), they receive a verification challenge and must confirm their identity via email or SMS.
Q: Can I restrict login access for specific users rather than an entire Profile? Login IP Ranges are set at the Profile level, not the individual user level. To restrict a specific user, assign them to a Profile that has the appropriate IP restrictions, or use Permission Sets in combination with your admin strategy.
Q: Does restricting login by IP address affect API integrations? Yes. If your integration user’s Profile has Login IP Ranges defined, API calls from IPs outside those ranges will be rejected. Make sure your integration server/middleware IP addresses are included in the allowed range for integration profiles.
Q: What’s the difference between Login IP Ranges and Trusted IP Ranges? Login IP Ranges (at the Profile level) result in a hard block for users outside the range. Trusted IP Ranges (at the Organization level) result in an identity verification challenge, not a block.
Q: How many IP ranges can I add per profile? Salesforce allows you to add multiple IP ranges per profile. There is no strict documented limit that is user-facing, but keeping your list clean and well-organized is recommended.
Q: Can I use a single IP address (not a range)? Yes. Simply enter the same IP address in both the Start and End address fields.
Q: Does this work with Salesforce mobile app logins? Yes. IP restrictions apply to all login methods, including the Salesforce mobile app, unless the mobile app connects through a trusted IP (e.g., via a corporate VPN).
10. Master Salesforce Security — Take Your Admin Skills to the Next Level
Understanding how to restrict login access by IP address is just one piece of the broader Salesforce Admin security puzzle. A well-rounded Salesforce Administrator needs to master:
- Organization-wide security settings
- Profile and Permission Set management
- Object-level, Field-level, and Record-level security
- Password policies and session management
- Data access controls and sharing rules
- Audit trails and login history monitoring
If you’re serious about building a career in Salesforce administration — or preparing for the Salesforce Administrator Certification exam — you need structured, hands-on training that covers all of these topics and more.
Salesforce Admin Certification Course — mytutorialrack.com
Ready to go from beginner to certified Salesforce Admin? The Salesforce Admin Certification Course at MyTutorialRack is designed to take you step-by-step through everything you need to know — including data security, login access controls, user management, and all the core Admin topics tested in the Salesforce Certified Administrator exam.
What you'll get:
- Comprehensive curriculum aligned with the Salesforce Admin exam guide
- Hands-on exercises and real-world scenarios
- Clear explanations of complex topics like IP restrictions, sharing rules, and OWD
- Study-at-your-own-pace flexibility
- Expert instruction to help you pass the certification on your first attempt
Don’t just learn Salesforce — master it. Your certification is one step closer than you think.
Conclusion
Restricting login access by IP address is a foundational Salesforce security practice that every admin should understand and implement. Whether you’re applying Trusted IP Ranges at the organization level for a soft verification layer, or enforcing strict Profile-Level Login IP Ranges to completely block access from unauthorized networks, Salesforce gives you the tools to protect your org effectively.
To recap the key takeaways:
- Salesforce does not restrict login by location by default — you must configure it.
- Profile-level restrictions result in a hard block; Organization-level restrictions trigger a verification challenge.
- Always use the Enforce login IP ranges on every request session setting for maximum security.
- Combine IP restrictions with Login Hours and Multi-Factor Authentication for a layered security strategy.
- Test your settings thoroughly before rolling them out to all users.
Security is not a one-time setup — it’s an ongoing practice. As a Salesforce Admin, staying on top of access controls is one of the most valuable skills you can develop.
Found this guide helpful? Share it with your Salesforce admin community, and don’t forget to check out the Salesforce Admin Certification Course to take your skills to the next level.
