Skip to main content

Salesforce Security Change: Step Up Authentication for Report Actions

Important updates about the Salesforce security change for Reporting

Salesforce is preparing to enable Step Up Authentication for Report Actions. When initially released to sandboxes, this change broke most of the ways reports and dashboards are used. Salesforce has fixed all known issues and plans to begin enforcing this in production starting July 1st, 2026.

Known Issues

  1. IP Restrictions: IP restrictions on a user's profile can prevent Heroku from accessing the reporting API.

    1. Suggested fix: Relax IP Restrictions

  2. Lock Sessions to the originating IP: Since our app may call the reporting API from Apex or Heroku, we currently require this setting to be disabled.

  3. User does not have access to User External Credentials. To make a secure callout, users need permission to access our credentials, and we can't add this to our permission sets.

Reporting API Limitations

The following issues are all related to switching from the previous export endpoints to the reporting API. Once step-up authentication is enabled for report actions in your org, we have to use the reporting API.

  1. Long text area fields are being truncated to 255 characters in CSV and XLS formats.

  2. Reports grouped by date and sent as details only (CSV or XLS) will not be sorted by date. The workaround is to remove the grouping and sort by date if you're sending the report in any format besides XLSX Formatted.

  3. Currency fields are exported in English locale instead of the user's locale.

  4. Reports with over 100 columns fail.

  5. Checkboxes always show true/false as values. Previously, for CSV and XLS formats, checkboxes showed 0/1.

  6. Details only XLSX may have a header, report filters, and total rows. This one we are already handling for most XLSX Details reports, but some reports come in a different format, and the extra information isn't being stripped.

Workaround

If Salesforce has not enforced step-up authentication in your org, you can log a case with Salesforce to request an extension while we work on custom code to fix these shortcomings. You would also need to disable this setting if you enabled it in advance. See the "How to Test" section below to see how it would've been enabled.

Updates

  • June 30th, 2026: In preparation for step-up authentication to be enforced sometime in July, all orgs have been updated to use only the reporting API for file generation. There may be minor differences in the files from the export URLs. If any of them cause issues, please contact our support team.

  • June 26th, 2026: Version 3.33 has been released to all orgs. This includes a few fixes we found in sandboxes. Production orgs will have step-up authentication changes enabled from June 26th to July 1st through a rolling enablement period.

  • June 19th, 2026: Version 3.31 is available for testing in sandboxes. Production release scheduled for June 26th.

  • June 16th, 2026: New version of Report Sender that works with Step Up Authentication is in final testing and will be rolling out to sandboxes this week. If your sandbox receives step-up authentication enforcement before the upgrade, Report Sender will not work. If this affects your testing, please let us know.

  • June 15th, 2026: Several known issues with Salesforce functionality have been marked as fixed. We are testing a new version of Report Sender that works with the step-up settings.

  • June 2nd, 2026: Thanks to everyone reporting issues with this, Salesforce has delayed enforcement.

    • Previous enforcement dates:

      • Sandboxes: Starting June 3, 2026

      • Production: Starting June 10, 2026

    • New enforcement dates:

      • Sandboxes: Starting June 17, 2026

      • Production: Starting July 1, 2026

How to Test

If you want to see how this change affects your organization, here's how to test.

  1. Go to Setup, Identity Verification

  2. Under Session Security Level Policies, change Reports and Dashboards to “Require periodic step-up authentication.”

  3. At the bottom, you can set the period (default is 120 minutes)

  4. It will only let you enter between 1 and 120

  5. Save your changes

Make sure MFA is set as a high assurance setting

  1. Go to Setup, Session Settings

Make sure your preferred MFA method is in the right column

Did this answer your question?