Forum Discussion
MFA for one email account with several users
- Feb 18, 2021
Hi Decomplexity
You can add multiple authenticator app 'instances' on a single account. If you decide to go the push notification way, be aware all registered authenticator apps for that account will get the notification which is something you may wish to avoid.
In that case choose to go the app with code direction. Here you have the choice to have all four devices share the same 'instance' (the 6 digit code will be the same on all devices) or you can create a separate instance for each phone (each 6 digit code will be different). The latter being more secure.
You can find some more detailed information here (article is from 2019 so the screenshots are from the 'old' registration experience but the principle is still valid.
Using multiple authenticator apps with a single Microsoft 365 user account – CIAOPS
Hi Decomplexity good morning.
You can´t by security design. Even you can set up multiple MFA instances, you need to decide which is the default MFA method. Maybe you can change the way MFA sends you the code like a shared mailbox accessed by serveral users, but very less secure.
Another Idea is app password. I don´t know which is your current configuration ,but if you are accessing by web app to the exchange, you have more limitations. With App password you can configure Outlook App client directly. Also, you can limit access mailbox by IP address.
I hope this can help you.
Good luck!
Thx Pablomcse
It is clearly helps traceability to have only one Authenticator registration per email account. We looked at the more elegant solution of converting the present support mail accounts (one for each group of four) to shared mail accounts but this entails adding three chargeable licences per shared mailbox (i.e. per group) and there are many groups!
However, when we were prototyping the steps involved in converting a group mailbox to such a shared mailbox, we observed that the MFA ‘enable’ screen that lists all the mailboxes (with Display name / User name / Multifactor authentication status) displays shared mailboxes as well as ‘normal’ ones. DAK the purpose of this since a shared mailbox cannot be logged on to directly but only entered via one of the members assigned to it (which in turn was logged on with its own credentials and MFA) ?