Forum Discussion
Solved
Enable 2FA in shared mailbox
Is it possible to enable 2FA in a shared mailbox?
- Hello,
"A shared mailbox is not designed for direct logon. The user account for the shared mailbox itself should stay in a Disabled (or "disconnected") state."
"A shared mailbox is a type of user mailbox that doesn't have its own username and password. As a result, users can't log into them directly."
https://learn.microsoft.com/en-us/exchange/collaboration/shared-mailboxes/shared-mailboxes?view=exchserver-2019&viewFallbackFrom=exchonline-ww
What about MFA for the users accessing the shared mailbox?
Ideally you would delegate access to individual users when signing in to a shared mailbox. However, if not and you wish to have one set of log in credentials for a particular mailbox there are a few solutions.
You could designate an admin and have the code go to their cellphone however this would be a pain whenever they are out of office or traveling.
Instead it may make sense to:
- Enforce MFA for the account with up to 5 devices: applied at the account level by adding multiple Authenticator instances.
- FIDO2 security key or RFID tag: a hardware based authentication method can be used to pass MFA for users who are in the same location and accessing in person.
- Voice call to a landline: You can add a landline of VoIP phone that all users are provisioned access to so that all users receive a code as a voice call.
- Multi-User Authenticator apps: Password managers and Multi-User Authenticator apps such as Salepager can be used to ensure multiple users receive the MFA code without needing to input numerous different contact methods or generate multiple codes.
- Conditional Access Policy: Implement a conditional access policy to reduce the number of circumstances under which 2FA is triggered in order to minimize the headaches arising from different users logging in.