Security notifications - Salesforce can block user access

Note Salesforce updates are subject to change beyond our control. Sage People attempts to maintain our content in alignment: for the most up to date information, refer to Salesforce documentation.

What's happening?

Salesforce uses OAuth tokens to allow secure access for users, integrations, and connected applications. As part of ongoing security enhancements, Salesforce can automatically revoke OAuth tokens. This can happen if they detect signs that a token can be at risk.

This commonly happens when you use the same OAuth token from:

  • Different or rapidly changing network locations

  • VPNs, proxies, or anonymizing services

  • Environments that Salesforce considers unfamiliar or untrusted

This is an automated security measure that Salesforce designed to protect your organization’s data.

Note Anonymous VPN or IP information doesn't show in session management.

Will this affect you?

This means the following for customers:

  • Existing sessions are ended: Salesforce revokes the affected OAuth tokens, which immediately logs the user or integration out

  • No data is affected: The system doesn't lose or change any data, and the user account itself remains active

  • Re authentication is required: You can usually restore access by signing in again or reauthorizing the affected integration. This lets the system issue new OAuth tokens

Recommended action

Usually, you can resolve this quickly by:

  • Signing back in so Salesforce can issue a new OAuth token

  • Reauthorizing any affected connected apps or integrations

  • Avoiding VPNs or proxies where possible, or using a stable, trusted network

  • Ensuring integrations are using supported authentication approaches

Once reauthorized from a trusted network, access typically resumes without further issue. For further information, see the Salesforce article Preventing connections from anonymizing VPNs.

FAQs

Are there any preventative actions to minimize recurrence?

From a Salesforce and Sage People perspective, the most effective preventative steps focus on stabilizing authentication patterns and reducing OAuth token risk. This is better than reacting after Salesforce revokes tokens. We recommend:

  • Where possible, avoid using consumer or privacy VPNs when accessing Salesforce or Sage People. Important for users who sign in frequently or use connected apps

  • Use a stable, predictable network egress. For example, corporate VPNs with consistent, outbound IP ranges rather than split-tunnel or dynamically assigned consumer VPNs

  • Re‑authenticate affected users or integrations from a trusted network. This ensures the system issues fresh OAuth tokens under normal conditions

  • Review connected apps and integrations

    • Ensure you only activate apps you actively use

    • Remove legacy integrations or ones you don't use

    • Use separate, dedicated integration users rather than shared credentials

  • Ensure you enforce MFA and standard Salesforce authentication policies correctly. These reduce the likelihood of repeated token challenges

Sage People doesn't have any specific requirements for configuration here. Salesforce's identity and OAuth security layer drives the behavior.

Is this behavior you expect with VPN usage?

Yes, this is the behavior we expect in certain scenarios.

Salesforce doesn't block VPN usage outright, but it can revoke tokens when:

  • Multiple or rapidly changing IP addresses reuse the same OAuth token

  • Network characteristics align with patterns Salesforce considers higher risk

This most commonly affects API and integration users, but it can also affect end users when:

  • They switch networks frequently

  • They use VPNs with changing exit IPs

  • They access Salesforce from multiple locations or devices in short timeframes

These aren't errors or defects. They're automated security protections Salesforce designed to prevent token misuse.

What does this mean for organizations with widespread VPN use?

Salesforce and Sage People commonly support VPN usage. You generally won't see widespread disruption when you have good practices in place.

To minimize impact at scale:

  • Favor corporate-managed VPNs with consistent routing over consumer or privacy VPN tools

  • Avoid frequent connect and disconnect patterns where possible

  • Educate users that occasional re-authentication can occur when using VPNs

  • For integrations, consider IP-restricted or tightly scoped connected app configurations

By following these controls, you can expect to see only isolated, infrequent occurrences over repeated, systemic issues.

How can I avoid manual unfreezing and repeated re-authentication?

The sustainable mitigation strategy isn’t repeated intervention, it's:

  • Reducing IP variability

  • Standardizing authentication patterns

  • Regularly reviewing OAuth access and connected apps

If token revocation occurs repeatedly for the same user or group, it's usually an indication of an underlying network or authentication pattern. You can adjust this.

Is there any exemption from this process?

It's possible to add an exemption to your org to prevent these freezes from happening. We recommend exploring all options first, as this doesn't remove the additional layer of security. If you do want to add one, raise a case with the Sage People support team.

Summary

  • This behavior is a normal Salesforce security mechanism, not a Sage People issue

  • It can affect both API users and end users, though integrations remain the most common scenario

  • VPN usage alone doesn't guarantee impact, but dynamic or high‑risk routing increases the likelihood

  • Most customers avoid disruption by following the preventative steps we've given