Yes — Salesforce gives you two different IP-based controls, and interviewers expect you to know the difference: Login IP Ranges (on a profile) and Trusted IP Ranges (org-wide). The first is a hard block — outside the range, you can’t log in at all. The second is a trusted zone — inside the range you skip identity-verification prompts; outside it you still log in, but Salesforce will ask for an activation code or MFA.
Login IP Ranges — the hard block
Set on each profile in Setup → Profiles → [profile] → Login IP Ranges.
- Define one or more
Start IP/End IPranges. - A user on that profile attempting to log in from any other IP is blocked outright — login fails, regardless of password or MFA.
- Empty ranges = no restriction (login allowed from anywhere).
- Affects UI logins, API logins, and refresh-token reissue.
This is what you use when policy says “this group of users can only log in from the corporate VPN, period.”
Trusted IP Ranges — the no-MFA zone
Set org-wide in Setup → Network Access.
- Define
Start IP/End IPranges considered “trusted.” - Logins from inside the range bypass identity-verification challenges (the email/SMS activation code prompt).
- Logins from outside the range still succeed, but Salesforce challenges the user with identity verification or MFA.
This is what you use when policy says “we want strong identity verification for off-network logins, but inside the office we don’t want to prompt.”
Side-by-side
| Login IP Ranges (profile) | Trusted IP Ranges (org) | |
|---|---|---|
| Where set | Profile | Setup → Network Access |
| Effect outside range | Block login | Prompt for identity verification |
| Effect inside range | Allow login | Skip verification, allow login |
| Scope | Per profile | Whole org |
| API logins affected? | Yes | No (API uses security tokens / IP allow-listing differently) |
| Use case | Hard lock to corporate network | Reduce login friction inside the office |
Practical scenario
“Finance users should only be able to log in from the office network. Everyone else should be challenged with MFA off-network but otherwise allowed in.”
- On the Finance Users profile, set Login IP Ranges to the office IP range. Off-network logins for finance users are now hard-blocked.
- In Setup → Network Access, add the office IP range to Trusted IP Ranges. All other users (sales, support, etc.) skip identity verification inside the office, get prompted off-network.
Both controls coexist — Login IP Ranges always wins because it blocks at the profile layer first.
Gotchas
- Locking yourself out. Setting Login IP Ranges on the System Administrator profile and then logging in from a different IP locks you out. Always leave one admin user on a profile without IP restrictions, or use very generous ranges for admins.
- IPv6. Both controls support IPv4 and IPv6 ranges. Make sure you cover both if your network supports it.
- VPN exits and dynamic IPs. Cloud VPNs and home ISPs often have rotating IPs. Hard-coding a /32 doesn’t work; you need the full provider range, which Salesforce may or may not let you express in a single rule.
- API integration users. Use security tokens or High Assurance session policies if you can’t pin them to a fixed IP range. Bypassing IP restrictions for an integration is what security tokens were designed for.
Common interview follow-ups
- Permission sets? No — IP ranges are profile-only.
- What about the Connected App level? Connected apps have their own IP restrictions — that’s a third, app-specific layer on top of profile and org-level controls.
- Does this affect Single Sign-On? Yes, if the user lands at the Salesforce login endpoint to complete SSO from a blocked IP, they’re blocked. SSO doesn’t bypass profile IP ranges.
Verified against: Salesforce Help — Restrict Login IP Ranges and Set Trusted IP Ranges. Last reviewed 2026-05-17.