function readOnly(count){ }
Starting November 20, the site will be set to read-only. On December 4, 2023,
forum discussions will move to the Trailblazer Community.
+ Start a Discussion
J BengelJ Bengel 

Data Loader (client app) "This session not valid for use with API" since implementing MFA

I've been using the Dataloader desktop app since we got on Salesforce with no problems and to exceptionally good effect. Everything was fine until we brought up MFA. (We opted for MS Authenticator since we use Azure SSO.)

Now? Not so much. MFA has been problematic for us since we adopted it, but so far we've always been able to eventually beat it into submission (SFDX doesn't like it much either).

This is going to bring a bunch of stuff to a grinding halt if we don't find a solution for it, so any wisdom on the topic would be greatly appreciated.
VinayVinay (Salesforce Developers) 
Error seems like you don’t have permission to access org using API. Can you provide “Use any API client” access on profile or permission set.  That should fix the error.

Please mark as Best Answer if above information was helpful.

J BengelJ Bengel
I can't find a permission in any of the settings called "Use any API client", but we did find a couple of System permissions that seemed to make a difference:
  • Manage Multi-Factor Authentication in API
  • Manage Multi-Factor Authentication in User Interface
We put those in a permission set and assigned it to the Data Loader users. But I'm not entirely convinced that's what made the difference. Here's why:

First: if I hadn't had permission to access the org via the API, I couldn't have used Data Loader at all, and I've been using it like a third hand for well over a year, so that wasn't it. (I did a whole legacy conversion with that app, and was using it all day every day for months on end.)

Second: the problem, it seems, was not with MFA itself, but the fact that we were using it in conjunction with Azure SSO. We use Azure as our SSO Federation, and Microsoft Authenticator as our MFA client, and we authenticate using the app to Azure. So as long as we're logged into Azure, the Authentictor app never gets pinged and all of the SSO-enabled orgs ae happy.

With the benefit of hindsight, the first thing I did wrong was try to log in using Password Authentication in Data Loader. That worked fine as long even after we set up SSO -- but not once we added MFA on top of it. Using the OAuth setting in Dataloader, and the custom domain for the org, I could log in using the same login dialog I would use to log into the UI. It takes a little getting used to, and it may not always work on the first try (sometimes you get the fabled "Problem verifying your Identity" message). If that happens, the best course to take is to shut Data Loader down, and start over. It may help if you're alreayd logged into the org in UI, but it seems like as long as I'm authenticated into Azure, things work like they're supposed to.

So if anybody else is having this problem, I would recommend trying the OAuth option first before you add any permissions. If that doesn't get it done, then create and assign the permission set, and try again.