Publish date:

• 20th June, 2025

A Salesforce Health Check, also known as an “org health check,” can mean different things based on who you talk to. An Admin might focus on regular maintenance tasks, like removing unused fields from a frequently used custom object. A governance or compliance team would likely look at security issues, such as ensuring that IP ranges are restricted for all users. An executive might care more about the overall costs and how licenses are being used in the organization.

For this article, I will take a combined approach to the points mentioned above. The aim is to create a clear picture of the organization's current standing, its usage, and its security. By answering these questions, we can find areas to focus on for improving overall health.

This article is not a complete guide to improving and cleaning up a Salesforce organization. That topic is very complicated and cannot be fully covered in just one post.

Let’s get started.

Why Is a Health Check Important?

As a Salesforce Administrator, developer, and consultant with over ten years of experience, I understand the challenges of maintaining a critical system's smooth operation. Every day, essential tasks are processed, users request changes if you manage the system, and new projects are starting, primarily if you work as a project manager. Meanwhile, you may also lead a team, attend important meetings, and update your boss about what’s happening.

When was the last time (if ever) you stopped to ask, “How is the org doing overall?”

It’s a straightforward question, but it often gets overlooked amid all the details. From my experience, taking a moment to ask some basic questions can reveal potential weaknesses in your system and its ability to grow. It could be as simple as having an unused Custom Object or as vital as not having multi-factor authentication (MFA) enabled (more on that later).

Let's take a moment to ask an important question: “How is the organization doing overall?”

No matter what your role is, it's crucial to perform this Salesforce Health Check at least once a year. You might be:

• An Admin who has managed the same organization for many years. 

• A project manager trying to understand your company’s Salesforce system. 

• A consultant visiting a new organization for the first time.

Documenting Your Health Check

Before we begin our Health Check, I would like to discuss documentation. Good documentation can help explain why your organization was built a certain way and how it is used, including who requested it. It may sound not very easy, but it's pretty simple. Documentation is crucial for maintaining a clean and healthy organization. Unfortunately, many Salesforce organizations lack proper documentation.

If you don’t already have organization documentation, start a Google Doc or MS Word document now. It’s essential to store the results of this Health Check in a location that's easily accessible and shareable. While we go through the Health Check, please note your findings.

Conducting the Health Check

It is essential to follow a straightforward process when conducting your Salesforce Health Check, which I have divided into four steps.

Step 1: Check the Salesforce Contract and Product Usage

Salesforce Contract

If you are a consultant new to an organization or an experienced member of a well-established team, start your health check by reviewing the organization's contract with Salesforce.

When does the contract renew, and what has been purchased from Salesforce? If you have been managing an organization for some time, you may already be familiar with this information. However, I have often been surprised by what I discovered. The goal of this first check is to clarify these details.

• Discover where we stand in the buying cycle.

• Ask what products we have.

• Analyze whether those products are being used.

If you are using Lightning Experience, go to the top right corner and click on the gear icon. Find and click on “Your Account,” then click on “View Your Contracts.” It will display the list of products your organization has purchased from Salesforce. 

If you are using Classic (Aloha interface), go to the top right corner and click on the “App Name” dropdown, which is the last button on the right. Then click “Checkout” and select “Purchased Products.”

Here, add two notes to your documentation:

• The renewal date.

• A list of the products purchased (and their quantities and costs).

Is your renewal date approaching soon? Will you discuss renewals, the number of licenses, and the effectiveness of the purchased products with management and the Salesforce team? If so, consider adding user sessions to your agenda to observe how employees utilize Salesforce. It can help you avoid the common question, “Do we still need all of these licenses?” that often comes up just weeks before the renewal decision must be made.

Next, let’s look at the products you bought from Salesforce. What does the overall situation look like? Are there any products that surprise you? I’ve seen cases where organizations had data storage add-ons for data they no longer needed, knowledge licenses added after requests from different teams, extra API calls due to poor development practices, and many licenses left over from past projects, among other issues.

Take a moment to jot down notes about each product on the list. Include any information you already have and any details you still need to answer any questions. For example, Sales Cloud and Service Cloud licenses might be straightforward since you know who is using them. We’ll cover that in more detail next. For other products, you may need to consult with colleagues within the company to determine how they are being utilized, by whom, and how frequently.

Check Usage

Now that we understand the products within the organization, let’s examine the basic usage numbers. I call it "basic" because this will show us which licenses and features are assigned but not if they are being used. Go to Setup and then Company Information.

The “User Licenses” section displays the various license types within the organization, along with the number of available licenses and those that are currently assigned. From this section, you can see how many of each primary license type, like Full Salesforce Licenses and Platform Licenses, are assigned based on the Salesforce contract. Take note of any interesting details you find, including how many “remaining licenses” there are for each license type.

The “Feature Licenses” section provides further details on the “User Licenses” section. These are additional products that your organization may purchase to enhance regular Salesforce licenses, such as Knowledge and Live Agent. Be sure to note the number of licenses assigned compared to the number purchased. Is there anything unusual that you notice?

Dive Deeper Into License Usage (Optional)

If you are encountering license usage limits, verify who is using their license. You can achieve this by reviewing reports and engaging in conversations with others.

To create the report, go to the Reports tab and select “Users” as your Report Type. The necessary fields should appear automatically. Suppose they don't filter for “active” users to see their last login date. You might notice some users who have a license but have never logged in or haven't logged in recently.

Using the report as a guide, consult with users, their managers, or relevant business units to gather information. Ask these questions and take notes on what you find.

• What was the reason behind them getting a license in the first place?

• Was it for a specific project that is still in progress?

• Or was it for a use case that is no longer valid? Under what circumstances can they be removed from the system?

We need to sort out our Salesforce contract and renewal date before it arrives. All products and licenses must be accounted for so your manager or whoever is sending the payment to Salesforce has a clear understanding of how we utilize them.

Other Usage Information

While you are on the “Company Information” page in Setup, let’s also check some essential usage metrics.

On the right side of the page, about halfway down, you will see “API Requests, last 24 hours.” Depending on your organization type and the number of licenses you have, you will see the number of API requests you made compared to the maximum allowed in 24 hours.

When an API request originates from outside the Salesforce organization, it interacts with the organization, such as running a query or adding a record. This can create problems if you reach your limit, causing integrations to fail and disrupting your org. It's essential to keep track of the "health" of your system.

Next, let’s review our Data and File usage, which can be found on the right side above the API usage details. Data storage indicates the total number of Salesforce records being stored, including Accounts and Contacts. File storage encompasses all other items associated with Salesforce records, including email attachments, images linked to Cases, and PDFs connected to Opportunities.

Each organization has space limitations that depend on its type and the number of licenses purchased. You can click the “View” link next to these limits to see more details and find out what is using the most space in your organization. It’s essential to maintain some extra space, as approaching the limit can prevent new records from being created. If you are near the limit, even one new app or process can add several hundred thousand records, potentially causing problems.

Step 2: Security Check

“Health Check”

The next area to discuss is Security. We will focus on how well-protected the organization is against outside threats. As a Salesforce Admin, consultant, or project manager, you might feel that security is not your responsibility. While it's true that Salesforce manages most security issues, it remains your job to enable these security measures.

Salesforce offers an invaluable tool called “Health Check.” 

To find it, go to Setup and click on Health Check. You will see a Baseline score for your organization. Below that score, Salesforce categorizes the Security Settings into High, Medium, and Low risk. It shows which Security Settings your organization meets and where it falls short. You will also see the current values for your settings, as well as the recommended values from Salesforce.

Security can be complex, but we don’t need to understand every detail. I recommend updating your policy to match the “Standard Value” that Salesforce suggests. Here are a few exceptions to consider before accepting those recommended values:

• If your organization has numerous Visualforce pages or other custom interfaces, consult with your development team to determine if changes to how these pages load will impact their work. It likely won’t, but if it does, it doesn't mean the changes shouldn’t happen. Instead, it might mean that the pages need to be updated for better security.

• Salesforce recommends locking a user out after three invalid login attempts. However, based on my experience, I prefer allowing five attempts. It gives users a chance to try different passwords before their account is locked.

• Salesforce advises against allowing administrators to log in as any user. They likely have good reasons for this, but in my experience managing an organization, not being able to log in as a user makes it hard to do my job effectively.

An important note here: I recommend updating the Security Settings one at a time. This approach usually works well. However, some users have reported that their browsers timed out, and a few apps from the AppExchange that still use Visualforce stopped working. If you need to update the Security Settings, change one policy and wait a few days to see if users report any issues. Continue this process until all settings have been updated.

We need to enable two important security features in the organization. These are partly addressed in the “Health Check,” but we should take it a step further.

Multi-Factor Authentication (MFA)

MFA is, hands down, the best way to protect your organization from unauthorized users gaining access. It pairs something you know (the password) with another factor (such as your email or a text message). You can find this here: Setup > Session Settings > Session Security Levels > Multi-Factor Authentication.

Enabling this setting will require all users to log in to their Salesforce accounts when using a new device or browser. They will need a code, which they can get from an email or a text if they have registered a mobile device. Most organizations already have this, but if yours doesn't, I recommend enabling it.

Starting February 1, 2022, Salesforce will require a more secure type of multi-factor authentication (MFA). You will not be able to use text messages or emails for the second authentication step. Instead, you must use an authentication app or a security key. The authentication app, which you need to install on your phone, generates six-digit codes that expire in about 30 seconds. For more details, go to Setup > Multi-Factor Authentication Assistant.

My Domain

My Domain makes your Salesforce URL unique to your organization. Instead of using login.salesforce.com, you will use mycompany.lightning.force.com. This setup is necessary for many new features and also adds security. Unauthorized users need to know your “My Domain” before they can try to access your organization. You can find this option under Setup > My Domain. If you haven't activated it yet, I recommend that you do so.

Be careful with the "prevent login from login.salesforce.com" option. You can enable this feature after you have enabled My Domain. It blocks logins from the standard login page. Ensure that all your integrations are configured to work with this change and are not redirected to the standard login page.

That's it! Salesforce makes it easy to follow good security practices.

Step 3: Check Access Controls

Our next area to check in the Health Check is access controls. It focuses on how we manage security for licensed Salesforce users within the organization. We need to ensure that every user has the appropriate level of access—no more. This approach is known as “Least Privilege Access,” and it’s a best practice for managing a Salesforce organization. I won’t suggest doing a full access audit right now, though an annual audit is a good idea. Instead, I will highlight two critical areas that are a high priority.

Admins

Users with the highest level of access in Salesforce are System Administrators. These users can change how the Salesforce system operates and can read and edit almost any data, except for some encrypted fields.

Due to this level of access, it should be distributed with great care. I have seen many organizations with 50 users, and 20 of them are Admins! In some cases, every user in the organization was set up as an Admin. It creates a serious access control issue that needs to be addressed immediately.

Go to Setup > Profiles > “System Administrator” profile > Assigned Users to see who is currently assigned the Admin profile. This list should only include users who are responsible for managing the app. Other users, such as sales managers who require data access, should not have this profile. Instead, give them additional access through permission sets.

If you find users who should not be Admins, make a note of it. Then, talk to the person who set up their profile or speak directly with the user. Try to understand how they utilize Salesforce and what additional access they require for their job. Once you have this information, please set up a Permission Set with the needed permissions and assign it to that user. Finally, remove them from the System Administrator profile.

We aim to establish a small group of Administrators who will manage the system. Having too many users with this level of access increases the risk of unwanted changes and the possibility of sensitive data being accessed or changed.

A quick note on this: When you look at the “System Administrator” profile, you will see all the true Admins listed under Assigned Users in Setup. You can also give broad “admin-like” permissions with other Profiles or Permission Sets. Any Profile or Permission Set that includes “Customize Application” or “Read/View all Data” should be considered as having Admin access. You can create a “List View” to find these additional Profiles or Permission Sets.

Sensitive Permissions

Some users in your organization might have sensitive permissions, even if they don’t need them. It is challenging to assess this risk without conducting a comprehensive access audit. The level of risk depends on your company and the specific data you consider most sensitive. There isn’t a one-size-fits-all solution for every organization.

To begin, compile a list of the five most sensitive types of data within your organization. Generally, contracts are the most sensitive. Next, look for any data that includes personal information, such as contacts. There may also be specific Apex Classes that are very sensitive. You will need to identify which data types are most critical for your company.

To determine which users have access to sensitive permissions, compile your list first. Then, check the Profiles to see who has those permissions and which users are assigned to those profiles. To do this, go to Setup > Profiles. You can create a new list by clicking “Create new View” at the top left and filtering it to show the sensitive permissions you identified. While the Profiles list views are not perfect, especially for complex permissions such as Record Type or Field access, they are the best option Salesforce provides.

Once you have compiled your list of users with sensitive permissions, discuss it with them, their managers, and your team to identify who truly requires this access. After that, remove access for those who do not need it.

Step 4: Org Build Analysis

Salesforce Optimizer

Initially, I mentioned that this is not a comprehensive guide to improving and cleaning up a Salesforce org, and I still stand by that. However, it's essential to discuss how the organization is structured and how clean its build process is. Many organizations face building problems that can make it hard to maintain and scale their systems. It is a complex issue, so I won’t be able to provide all the details here.

Salesforce has created a helpful tool called “Optimizer.” This tool, built into Salesforce, helps identify areas in your setup that require attention. It can locate fields, Profiles, Permission Sets, and Roles that you are not currently using. Optimizer also offers suggestions on how to fix these issues. While it has some limitations and may flag some non-issues, it remains a valuable starting point for analysis.

Navigate to Setup > Optimizer to run it, and then analyze the results.

Understand, Document, and Optimize Your Salesforce Org with Codleo

At Codleo, we help businesses manage their Salesforce systems. Whether we are new consultants or improving an existing setup, we focus on making things clear and efficient. A common challenge teams face is not knowing how their system is organized and utilized daily.

To address this, we utilize innovative strategies and tools that enable you to quickly understand, document, and report on your Salesforce system—all within the platform.

Go Beyond the Basics: Deeper Insights Into Your Salesforce Org

Here’s how Codleo helps organizations take their Salesforce management to the next level:

User Activity Tracking That Matters

Move past simple "last login" checks. We help you track login trends over time and understand exactly how users are interacting with different parts of Salesforce. It enables better license management and higher adoption.

Full Permissions Visibility – Right Inside Salesforce

No more wasting time clicking through endless menus. With enhanced permissions reporting capabilities, you can instantly view who has access to what, right from the Salesforce reporting engine.

Visualize Your Org’s Architecture

Codleo provides a detailed "map" of your Salesforce setup, offering clear insights into objects, fields, automation, and how everything connects. Whether you’re preparing for a cleanup, migration, or compliance audit—this clarity is essential.

Centralized Documentation Within Salesforce

Say goodbye to scattered notes and external tools. With native documentation processes, you can manage Health Checks, share major updates with your Salesforce team via Chatter, and even run internal project approvals—all without leaving your org.

At Codleo, we combine our deep Salesforce expertise with these advanced practices to ensure your org is not just functional, but optimized, secure, and future-ready.

Need help auditing or documenting your Salesforce environment? Reach out to Codleo’s Salesforce consulting team today for a free org analysis or request a ready-to-use org documentation template.

Summary

This guide helps you conduct a Salesforce Health Check and improve the health of your Salesforce system. Your Salesforce system is a significant investment, so keeping it in good shape is one of the best ways to protect it.

Ready to ensure your Salesforce org is running at peak performance? As a trusted Salesforce Partner, Codleo Consulting specializes in comprehensive Salesforce Health Checks that uncover hidden issues, improve efficiency, and align your CRM with your business goals. Whether you're facing performance bottlenecks, security concerns, or underutilized features, our expert Salesforce consulting team is here to help.

Contact Codleo today and let us optimize your Salesforce environment for long-term success.