Forum Discussion
Solved
Enable 2FA in shared mailbox
Is it possible to enable 2FA in a shared mailbox?
- Hello,
"A shared mailbox is not designed for direct logon. The user account for the shared mailbox itself should stay in a Disabled (or "disconnected") state."
"A shared mailbox is a type of user mailbox that doesn't have its own username and password. As a result, users can't log into them directly."
https://learn.microsoft.com/en-us/exchange/collaboration/shared-mailboxes/shared-mailboxes?view=exchserver-2019&viewFallbackFrom=exchonline-ww
What about MFA for the users accessing the shared mailbox?
3 Replies
Ideally you would delegate access to individual users when signing in to a shared mailbox. However, if not and you wish to have one set of log in credentials for a particular mailbox there are a few solutions.
You could designate an admin and have the code go to their cellphone however this would be a pain whenever they are out of office or traveling.
Instead it may make sense to:
- Enforce MFA for the account with up to 5 devices: applied at the account level by adding multiple Authenticator instances.
- FIDO2 security key or RFID tag: a hardware based authentication method can be used to pass MFA for users who are in the same location and accessing in person.
- Voice call to a landline: You can add a landline of VoIP phone that all users are provisioned access to so that all users receive a code as a voice call.
- Multi-User Authenticator apps: Password managers and Multi-User Authenticator apps such as Salepager can be used to ensure multiple users receive the MFA code without needing to input numerous different contact methods or generate multiple codes.
- Conditional Access Policy: Implement a conditional access policy to reduce the number of circumstances under which 2FA is triggered in order to minimize the headaches arising from different users logging in.
Shared mailboxes are directly based on user delegation access and suppose we can protect by 2FA under user level
- Hello,
"A shared mailbox is not designed for direct logon. The user account for the shared mailbox itself should stay in a Disabled (or "disconnected") state."
"A shared mailbox is a type of user mailbox that doesn't have its own username and password. As a result, users can't log into them directly."
https://learn.microsoft.com/en-us/exchange/collaboration/shared-mailboxes/shared-mailboxes?view=exchserver-2019&viewFallbackFrom=exchonline-ww
What about MFA for the users accessing the shared mailbox?
