Salesforce Spring '26 Release: The Complete Admin Guide

The Salesforce Spring 26 release lands as one of the most consequential updates in recent memory — not because of flashy new UI elements, but because two mandatory security migrations are now closing in with firm retirement dates. Miss them and your integrations break. Alongside those critical changes, Salesforce has shipped meaningful Einstein AI upgrades, a batch of Flow improvements that finally close long-standing gaps, and UX refinements that will reduce admin support tickets.

This guide cuts straight to what matters for the people actually running orgs.

---

What's New: The 30-Second Overview

Spring '26 centers on three themes:

1. Security hardening — legacy cryptography is being retired and Connected Apps are being replaced with a new External Client Apps model.
2. Einstein everywhere — AI Copilot actions, Agentforce enhancements, and generative features land inside core admin workflows, not just Sales Cloud.
3. Flow maturity — subflow error handling, native approval redesign, and orchestration improvements make Flow a more credible replacement for Process Builder and legacy Apex triggers.

The releases also include incremental UX improvements across the Setup experience, Dynamic Forms GA expansions, and several long-requested Lightning App Builder features.

---

🚨 Security Migrations (URGENT — Hard Deadlines)

This section is the most important in this guide. Both changes below have non-negotiable retirement dates. Most release recap posts mention them in passing; we're putting them first because the blast radius of inaction is high.

1. Triple DES Encryption Deprecation

Salesforce is retiring support for Triple DES (3DES/DES-EDE) in all encrypted field operations and in the Salesforce Shield Platform Encryption stack. The targeted retirement date is mid-2026 (Salesforce has signaled Q2 2026) — roughly one quarter after this release ships.

Why it matters: Any integration partner, middleware layer (MuleSoft, Boomi, custom REST clients), or Shield encryption policy that specifies 3DES as a cipher will fail after that date. This is not a deprecation warning — it is a hard cutover.

What to do right now:

1. Open Setup → Platform Encryption → Encryption Policy and check whether any active policy references 3DES or DES. If you see it, switch to AES-256.
2. Pull your Named Credentials and External Credentials list and audit the cipher suites used by each endpoint's SSL/TLS configuration. Work with your integration team to confirm the receiving endpoints support AES-256 or TLS 1.3.
3. Run the Encryption Statistics report under Platform Encryption to see which fields are encrypted today and flag any that were set up more than two years ago — 3DES defaults were common in older Shield deployments.
4. In sandboxes, temporarily disable 3DES support (there's a Critical Update toggle in Spring '26 preview orgs) and run a full integration smoke test before enforcing it in production.

The Salesforce Security team has published an official migration runbook in the Help & Training portal under "Triple DES Retirement." Use it.

2. Connected Apps → External Client Apps Migration

This is the bigger of the two migrations in terms of scope. Salesforce introduced the External Client Apps framework in Summer '25 as the long-term replacement for Connected Apps. In Spring '26, new feature development stops on Connected Apps. The full retirement — where existing Connected Apps stop functioning — is targeted for Winter '27.

You have until Winter '27, but that timeline is shorter than it sounds. Large orgs with dozens of Connected Apps, managed packages that wrap Connected Apps, and ISV solutions that haven't yet migrated will need lead time.

Key differences to understand:

Concrete migration step for a simple Connected App:

# Using Salesforce CLI
sf org list metadata --metadata-type ConnectedApp --target-org myorg

This returns all Connected Apps in your org. For a scripted inventory, add --json to parse output programmatically:

# Get full Connected App inventory as JSON
sf org list metadata --metadata-type ConnectedApp --target-org myorg --json

# Retrieve the metadata source for all Connected Apps (for backup before migration)
sf project retrieve start --metadata "ConnectedApp" --target-org myorg

# After migration: deploy the new External Client App metadata
sf project deploy start --metadata "ExternalClientApplication" --target-org myorg

The ExternalClientApplication metadata type is the deployment-ready representation of an External Client App.

For each Connected App, Salesforce has released a Migration Assistant under Setup → App Manager → External Client Apps → Migration Assistant. Run it against a non-critical Connected App in a full sandbox first. The assistant will:

• Create the corresponding External Client App record
• Port OAuth scopes to the new Scope objects
• Flag any configurations it cannot auto-migrate (custom claims, canvas settings) for manual review

Do not wait for Winter '27 to start. Audit your Connected Apps inventory now and categorize by owner (your team, a managed package, an ISV). Package-owned Connected Apps require the ISV to ship an update — give them time.

⚠️ Known Gotchas

Canvas Apps break silently: Connected Apps that use Salesforce Canvas are not supported by the Migration Assistant. Canvas apps must be manually re-created or re-architected — the assistant will flag them, but it won't tell you what the replacement pattern should be. If you have Canvas apps in production, start a separate workstream now.

OAuth token invalidation on migration: Migrating a Connected App to External Client Apps creates a new OAuth client with a new consumer key. Any existing OAuth tokens issued under the old Connected App are invalidated the moment the old app is retired. For integrations with long-lived tokens (service accounts, batch processes, BI tools), coordinate a token refresh with the integration owner before cutover — a surprise token expiry at 2am is avoidable.

---

Einstein AI & Agentforce Features in Spring '26

Agentforce Agent Actions in Setup

Admin-created Agent Actions now support Apex-backed actions directly from the Setup UI without requiring a developer to wire them manually. You define the action's input/output schema in a point-and-click builder, select an Apex class that implements AgentAction, and the framework handles the binding. Note that the implementing class must be global scope and annotated with @AuraEnabled.

Practical use case: Build a "Lookup Account Health Score" action that calls a custom Apex method querying your proprietary scoring model. Expose it to an Agentforce Sales Agent so reps can ask "What's the health score for Acme?" mid-conversation without leaving the CRM. See our Agentforce 2DX explainer for a deeper look at agent architecture.

Prerequisites: Agentforce license (Agent Builder seats), API-enabled Apex class, and a connected Einstein Trust Layer policy.

Einstein Copilot Audit Trail

One of the most admin-relevant additions: a native Copilot Interaction Log object is now available in the org. Every prompt submitted to Einstein Copilot, the action taken, and the data objects accessed are written to a standard platform object in your org (no __c suffix — this is a platform-managed object, not a custom object). You can build reports on it, attach it to a Dashboard, and route anomalous queries to a security review queue via Flow.

Verify in your org: The exact API name for this object was not confirmed in final Spring '26 release notes at time of writing. Once your org is on Spring '26, search Object Manager for "Copilot" or query EntityDefinition with SELECT QualifiedApiName FROM EntityDefinition WHERE QualifiedApiName LIKE '%Copilot%' to find the exact name.

Prompt Builder: Grounding with Flow-Retrieved Data

Prompt Builder gains the ability to ground prompts with data retrieved by a before-save Record-Triggered Flow rather than only inline SOQL merge fields. This matters because complex grounding scenarios — like pulling the last three case notes, or the most recent opportunity line items — previously required a developer to write a custom Prompt Template invocable action. Admins can now build that data-assembly logic in Flow and pass the assembled string to the prompt template as a merge field.

---

Flow & Automation Improvements

Subflow Fault Handling

Until now, if a subflow threw a fault, the parent flow received a generic fault path with no detail about which subflow failed or why. Spring '26 adds a Fault Output Variable on the Subflow element that captures the fault message, fault type, and subflow name. You can now build targeted error-handling branches that behave differently depending on which subflow failed.

Implementation: In your parent flow, open the Subflow element, scroll to "Advanced," and enable "Store Fault in Variable." Map the output to a new Text variable. Add a Decision element after the subflow that checks the fault variable before routing to a generic fault path. For more on building robust flows with AI triggers, see how to use ChatGPT with Salesforce Flow.

Native Approval Process Redesign (Beta)

The 20-year-old Approval Process UI is finally being replaced. The new Approval Builder (Beta in Spring '26) uses a canvas interface similar to Flow Builder. Existing approval processes are not automatically migrated — Salesforce has confirmed a migration tool is coming in Summer '26. For net-new approvals, use Approval Builder.

Flow Orchestration: Parallel Stage Improvements

Flow Orchestration's parallel stage execution now supports conditional stage activation — a stage can be configured to only activate if a prior stage's output meets a condition. Previously, all parallel stages started simultaneously regardless of upstream outputs. This enables more realistic multi-team approval and review workflows where Stage B only kicks off if Stage A's assignee marked a specific checkbox.

---

UX Improvements

Dynamic Forms: GA for All Standard Objects

Dynamic Forms — which allow per-field visibility rules on record pages without a custom Lightning component — are now Generally Available for all standard objects, including Case, Lead, and Opportunity. Previously, GA coverage excluded several high-volume objects. Admins who held off on Dynamic Forms adoption because of object limitations can now move forward.

Quick win: Use Dynamic Forms visibility rules to hide the "Annual Revenue" field from the Lead page layout for SDR profiles (who don't need it) and surface it only for AE profiles. No Apex, no custom LWC — just setup. If you're looking for more ways to surface the right data at the right time, our guide to better Salesforce reports with AI covers complementary techniques.

Setup Search Overhaul

Setup's global search now returns results ranked by your most recently visited Setup pages, surfaces related items (e.g., searching "profile" now also returns Permission Sets and Permission Set Groups), and supports fuzzy matching. Small change, meaningful time savings across a day of admin work.

Lightning App Builder: Component Visibility on Related Lists

You can now apply visibility rules to Related List components on Lightning record pages, not just field-level components. Hide the "Cases" related list from Account pages for users who lack the Read Cases permission set, rather than managing separate page layout assignments.

---

Spring '26 Admin Action Checklist: What To Do This Week

Treat this as your post-release sprint backlog.

Security (Do this first):

• Audit Platform Encryption policies for 3DES references → migrate to AES-256 before June 1
• Pull Connected Apps inventory (sf org list metadata --metadata-type ConnectedApp) and categorize by owner
• Retrieve and back up all Connected App metadata before running the Migration Assistant: sf project retrieve start --metadata "ConnectedApp" --target-org myorg
• Run Migration Assistant on one non-critical Connected App in sandbox this sprint
• Check for Canvas-based Connected Apps — these cannot be auto-migrated and need a separate plan
• Contact ISVs with Connected App-based integrations and confirm their Winter '27 readiness

Einstein / AI Governance:

• Enable the Copilot Interaction Log and build a "Copilot Usage by User" report
• Review Einstein Trust Layer policy to confirm no customer data is leaving your org boundary
• Identify one manual admin lookup task to prototype as an Agent Action in Agentforce
• Enable Prompt Builder for at least one record type and test grounding with a Flow-retrieved data field

Flow & Automation:

• Identify any parent flows with subflows that currently have empty fault paths — add Fault Output Variable handling
• For any net-new approval workflows in the roadmap, use Approval Builder (Beta) and document feedback for Salesforce

UX:

• Migrate remaining standard object page layouts to Dynamic Forms — start with Case and Lead
• Add field-level visibility rules to surface the right fields to the right profiles without layout duplication

---

The Bottom Line

Spring '26 is not a release you can skim and set aside. The Triple DES and Connected Apps migrations have real retirement dates and real downtime consequences if ignored. Get those in your sprint planning now.

On the opportunity side, the Copilot Audit Trail and Agentforce Agent Actions improvements give admins concrete tools to govern and extend AI inside their orgs — without waiting for a developer. If you've been watching Agentforce from the sidelines, Spring '26 gives you enough admin-accessible tooling to run a meaningful pilot.

Start with the security checklist. Then build something with Agentforce.

---

Ready to go deeper? Check out our Agentforce 2DX explainer and the best AI tools for Salesforce admins in 2025 — or drop your questions in the CRM×AI community.

Frequently Asked Questions

When is Salesforce retiring Triple DES encryption? Salesforce has targeted Triple DES (3DES) retirement for Q2 2026 — approximately one quarter after Spring '26 ships. After that date, any integration, Shield encryption policy, or middleware layer (MuleSoft, Boomi, custom REST clients) that specifies 3DES as a cipher will stop working. The migration runbook is in Salesforce's Help & Training portal under "Triple DES Retirement."

When do Salesforce Connected Apps stop working entirely? Full Connected Apps retirement is targeted for Winter '27. New feature development stopped in Spring '26. That timeline sounds comfortable, but large orgs with dozens of Connected Apps — especially those with managed package dependencies and ISV-owned apps — need significant lead time. Start your inventory audit now and don't wait for Winter '27 to act.

Can Canvas-based Connected Apps be auto-migrated to External Client Apps in Spring '26? No. The Spring '26 Migration Assistant does not support Canvas-based Connected Apps. They must be manually re-created or re-architected, and Salesforce will flag them during the migration process without providing a replacement pattern. If you have Canvas apps in production, treat them as a separate workstream requiring dedicated planning.

What is the Einstein Copilot Audit Trail added in Spring '26? Spring '26 adds a native Copilot interaction log — a standard platform object (no __c suffix) that records every prompt submitted to Einstein Copilot, the action the AI took, and which data objects were accessed. Admins can build Salesforce reports and dashboards on this data, and route unusual queries to a security review queue via Flow. This closes a major governance gap that previously made Copilot usage completely opaque. Verify the exact object API name in your org's Object Manager once on Spring '26.