Connecting Act-On with Salesforce when you have MFA enabled

  • Updated

To combat security threats, Salesforce now requires accounts to set up Multi-Factor Authentication (MFA). Previously called two-factor authentication (2FA), MFA is a more secure form of authenticating users. To establish a working connection between Act-On and your Salesforce CRM API, you may need to create an integration-only user login with the appropriate permissions.

What does this mean for your Act-On and Salesforce CRM Connector?

If you are enabling Multi-factor authentication for your Salesforce account, you must connect to Act-On with a user that does not have the setting Multi-Factor Authentication for API Logins enabled. If you are not enabling this setting for your account then you likely do not need to take further action.

However, if your organization needs to turn on Multi-Factor Authentication for API Logins for all users, this will cause problems connecting to Act-On. To re-connect, you should create an integration-only user if you have not already done this. The user should also be assigned to a permission set that contains the minimum required permissions to connect with Act-On. This user can also be classified as an API Only user in Salesforce to meet your security policies.

For full instructions, continue reading.


Salesforce Administrators can follow these steps to ensure your connection between Act-On and Salesforce CRM continues to work after you enable MFA for your account.

Create an Integration User and Permission Set in Salesforce

First, create an integration-only user permission set in your Salesforce account, or identify an existing integration-only user to connect Salesforce to Act-On.

Next, create and apply a new custom permission set:

  1. In Salesforce, go to Setup > Users > Permission Sets.
  2. Click New to add a permission set.
  3. Add a Label (or name) for the permissions, such as "Act-On Integration User".
    • API Name will automatically populate
  4. For License, you can choose None or Salesforce.
  5. Click Save.
  6. In the new permission set, review and update the permissions for the following as described in our minimum permissions below:
    • Object Settings
    • System Permissions
      • Do not enable Multi-Factor Authentication for API Logins
  7. Once you are done, click Manage Assignments.
  8. Click Add Assignments.
  9. Check the box for your Act-On integration user, then click Assign.

Minimum permissions for the Salesforce user Connecting to Act-On

Required license: Salesforce

Object Settings

  • Accounts: Read/View All
    • Field Permissions as needed for revenue reporting and CRM segmentation. Recommendations:
      • Active (Read)
      • Annual Revenue (Read)
      • Industry (Read)
  • Campaigns: Read/Create/Edit/View All
    • Field Permissions as needed. Recommendations:
      • Contacts in Campaign
      • Converted Leads in Campaign
      • Leads in Campaign
      • Opportunities in Campaign
  • Contacts: Read/Create/Edit/View All/Modify All
    • Field Permissions as needed. Read/Edit access based on data policy. Recommendations:
      • Email (Edit)
      • Email Opt Out (Edit)
      • Hard Bounce (Edit)
      • Lead Score (Edit)
      • Lead Source (Edit)
      • Owner ID (read)
      • RecordID (read)
  • Leads: Read/Create/Edit/View All/Modify All
    • Field Permissions as needed. Read/Edit access based on data policy. Recommendations:
      • Email (Edit)
      • Email Opt Out (Edit)
      • Hard Bounce (Edit)
      • Lead Score (Edit)
      • Lead Source (Edit)
      • Lead Status (Edit)
      • Owner ID (read)
      • RecordID (read)
  • Opportunities: Read/View All
    • Field Permissions as needed for reporting and CRM segmentation. Recommendations:
      • Amount (read)
      • Lead Source (read)
  • Tasks
    • Field Permissions - Edit access:
      • Comments
      • Due Date
      • Name
      • Type

System Permissions

  • API Enabled
  • Edit Tasks
  • Export Reports
  • Run Reports
  • View Reports in Public Folders
  • Multi-Factor Authentication for API Logins must be disabled for this user

Additional Permissions

  • Oauth for the Act-On Lightning Support App is required for the System Administrator and any Act-On users. Find these instructions in our Salesforce Package Installation Guide.
  • Enable Read access on any custom objects that you would like Act-On to have access to.
    • Act-On can integrate with custom objects that are related to Leads and Contacts. Please contact your Customer Success Manager for more information.
  • Edit Record Type Settings to select only the record types you want Act-On to have access to. This is configured at the object level (eg Leads, Contacts, Accounts).
  • Drill down on objects in field-level security settings and block unneeded fields that are not required for marketing purposes.
More about Data Fields in Act-On
  • Pay attention to your organization's data policy for the use and transfer of data such as non-public personal information and data protected by regulation (eg HIPAA).
  • Be mindful that synchronizing too many fields may negatively impact performance. Generally, fewer than 100 fields are necessary to sync between Salesforce and Act-On across all objects.


Next Steps: Connect Your New Integration-Only User to Act-On

Next, you can connect to Act-On using our regular instructions. You will need to create a security token for the integration user.

Was this article helpful?

Have more questions? Submit a request