![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(307.2, 70%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAF%3C/text%3E%3C/svg%3E)
Microsoft Security | Microsoft Entra | Microsoft Entra ID
A cloud-based identity and access management service for securing user authentication and resource access
Salesforce currently requires an MFA indicator to trust devices for SSO. For Entra ID integrations, this is handled differently depending on whether SAML or OpenID Connect is used.
From the available information:
- For SAML-based SSO, Salesforce will rely on the
authnmethodreferencesclaim in the SAML token issued by Entra ID. When this claim containsmultipleauthn, Salesforce treats the device as trusted, provided that a Conditional Access policy has enforced MFA. This is explicitly supported and documented. - For OpenID Connect with Salesforce, Entra ID must be used via the v1 endpoint so that Salesforce can receive the AMR claim in the token. The v1 endpoint can provide the AMR claim; v2 endpoint support for this scenario is not yet available. If the app is configured against the v2 endpoint, the AMR claim will not be present, which matches the behavior described.
So if the Salesforce enterprise app is configured for OIDC against the Entra ID v2.0 endpoint and AMR is missing:
- Reconfigure the Salesforce OIDC integration to use the Entra ID v1 endpoint, not v2.0.
- Ensure that Conditional Access is enforcing MFA for the Salesforce app so that the AMR (or
authnmethodreferencesin SAML scenarios) reflects multi-factor authentication.
Until v2 endpoint support is available for this AMR behavior, using the v1 endpoint is required for Salesforce OIDC to receive the MFA indicator.
References: