Salesforce Administration
If your Salesforce users are being frozen repeatedly — even after you manually unfreeze them — the cause is almost always the same: their traffic is routing through an anonymizing proxy or VPN that Salesforce’s security system flags as high-risk. Here’s what’s happening and exactly what to do about it.
If Salesforce keeps freezing users in your org — even after you manually unfreeze them — the cause is almost always the same: traffic routing through an anonymizing proxy or VPN that Salesforce’s security system flags as high-risk.
What’s actually happening
Salesforce runs a real-time threat detection system that monitors login and API activity across all orgs. When it detects traffic originating from an anonymizing network — such as a Tor exit node, an open proxy, or a high-risk shared IP — it takes automatic protective action, regardless of whether the user is behaving legitimately.
This matters because anonymized traffic makes it impossible for Salesforce to reliably verify where a connection is coming from. From a security standpoint, that looks identical to a credential theft or token hijacking attempt — so the system acts defensively.
⚠ Why manual unfreezing doesn’t work
Unfreezing a user without addressing the network issue is a temporary fix at best. The moment the user reconnects through the same flagged VPN or proxy, Salesforce will detect it and freeze them again automatically — sometimes within minutes.
What Salesforce does when it detects this
When suspicious anonymized traffic is detected, Salesforce simultaneously takes three automatic actions:
| 1 | Freezes the user account The user is locked out immediately and sees an “Incorrect credentials” error. No login is possible until an admin manually unfreezes them in Setup. |
| 2 | Revokes all OAuth refresh tokens Every active session is terminated — desktop, mobile, and any connected app integrations. The user is logged out everywhere simultaneously. |
| 3 | Forces a password reset Even after being unfrozen by an admin, the user must reset their password before they can log in again. |
How to restore access immediately
Follow these steps in order. The most common mistake is unfreezing the user first — always fix the connection issue before restoring access.
| 1 | Disconnect from the flagged VPN or proxy first Instruct the affected user to disconnect from whatever VPN or proxy they are currently using before attempting to log in again. |
| 2 | Unfreeze the user account Go to Setup → Users, find the affected user, and click Unfreeze. |
| 3 | Reset the user’s password Click Reset Password in Setup, or have the user go through the Forgot Password flow. This step is mandatory after any freeze event. |
| 4 | Test login from a clean connection Have the user log in from a direct, non-proxied connection — home broadband or office network without VPN — to confirm access is fully restored. |
| 5 | Monitor for 48 hours Check the account the following day to confirm the freeze hasn’t recurred. If it has, another device or integration is still routing through the flagged network. |
Fixing the root cause: what your IT team needs to do
Restoring access addresses the symptom. The permanent fix requires investigating and changing the underlying network setup.
Identify the problematic VPN or proxy
Work with your IT or security team to determine which VPN, proxy, or routing configuration is causing Salesforce traffic to appear as coming from an anonymizing network. Common culprits include:
- Consumer-grade VPN services that use shared or residential IP pools
- Split-tunnel configurations that push some traffic through anonymizing relays
- Corporate proxies that route outbound traffic through third-party anonymization layers
- MDM or network profiles on mobile devices with built-in VPN configurations
Add trusted IP ranges in Salesforce
Once your IT team has identified the legitimate IP addresses your users connect from, add them to Salesforce’s trusted IP allowlist. Users connecting from these IPs bypass the anomaly detection entirely.
💡 How to configure trusted IP ranges
Navigate to Setup → Security → Network Access → New Trusted IP Range and add your approved IP addresses or CIDR ranges. Salesforce will treat logins from these IPs as trusted without triggering the proxy detection system.
Replace the VPN with a compliant solution
If a VPN is essential for your team, replace or reconfigure the current solution with one that uses dedicated, static, non-anonymized IP addresses. Your VPN provider should be able to confirm whether their IPs are classified as open proxies or anonymizing networks.
Requesting a temporary opt-out from Salesforce
If fixing the VPN takes time, you can request a temporary opt-out of Salesforce’s autonomous security response for OAuth token risks. To request one, raise a support case with Salesforce and provide:
- Your org ID and confirmation that you are a system administrator
- Whether you need a temporary or permanent exemption, and the required timeframe
- Acknowledgement that the exemption introduces additional security risk to your org
⏱ Opt-outs are time-limited
Temporary exemptions expire — plan accordingly
Temporary opt-outs expire after the agreed period (typically 30 days). When the exemption expires, Salesforce re-enables automatic freezing. You must resolve the underlying VPN issue within the opt-out window — or contact Salesforce before expiry to request a renewal.
Full resolution checklist
- Disconnected affected users from current VPN or proxy
- Unfrozen all affected accounts in Salesforce Setup
- Reset passwords for all affected users
- Confirmed users can log in from a clean, direct connection
- Reported the issue to IT/security team for VPN investigation
- Identified which VPN or proxy is causing the open proxy classification
- Configured Salesforce Trusted IP Ranges with approved office and VPN IPs
- Replaced or reconfigured the problematic VPN solution
- Applied the network fix to all affected users, not just one
- Resolved the issue before the opt-out exemption expires
Further reading
Salesforce documents this behaviour in their Help portal. Search for autonomous response for OAuth token risks or refer to Help Article ID 005318944 for the official guidance on how this security feature works and how to manage exemptions.
For broader security hardening, also review Salesforce’s documentation on Login IP Ranges, Identity Verification, and Connected App policies — all of which interact with how Salesforce handles suspicious login activity.