Forum Discussion

Stefanie Cortese's avatar
Stefanie Cortese
Copper Contributor
Jun 11, 2018
Solved

Dual Factor Conditional Access

I want to enable dual auth for Office 365 but I have one issue that will be a challenge, wondering if a conditional access rule would fix it. 

 

We have a group of users that log into others mailboxes for coverage, i.e. PTO, sick, etc. 

 

When a user is out of office, and another user logs into their mailbox via OWA I need to disable multi-factor because the user out of office will not be able to get the text to users who is covering. 

 

So basically I want by default multi-factor but when user is out of office allow someone else to access the users mailbox via OWA without multi-factor. 

Azure AD
office 365
  • NunoAriasSilva's avatar
    NunoAriasSilva
    Jun 11, 2018

    Hi Stefanie Cortese,

     

    You have two options:

    • Make the users connect throught a VPN to your on-premises network that the Public IP is in Trusted IP's
    • Disable the MFA Temporary

     

6 Replies

Sort By
  • Steven Collier's avatar
    Steven Collier
    MVP
    Jun 11, 2018

    Do these users have the passwords of the person on holiday? That's really a very poor solution as you'll never know who is really who when you look at audit logs and the like. It's really easy for a mailbow owner to add someone else to have full access to their mailbox using their account.

     

    That way everyone stays being themselves, can 2 step authenticate as themselves and still have access to everything. 

    • Stefanie Cortese's avatar
      Stefanie Cortese
      Copper Contributor
      Jun 11, 2018

      I agree with you 100%. There is one add-on business app that does not work under delegated access. So at times, there needs to be a direct sign in. 

      • NunoAriasSilva's avatar
        NunoAriasSilva
        MVP
        Jun 11, 2018

        I agree with Steven Collier.

         

        The best approach is to give Full Mailbox permissions to the user regarding the MFA access.

         

        Stefanie Cortese you can do that in Exchange Online mailbox permissions and keep that audit and can have/must have the 2 users with MFA enabled. And if is not possible, please audit and use VPN.

    • Stefanie Cortese's avatar
      Stefanie Cortese
      Copper Contributor
      Jun 11, 2018

      Correct, however some users are remote on a DHCP so hard to manage changes. Any other ideas?

      • NunoAriasSilva's avatar
        NunoAriasSilva
        MVP
        Jun 11, 2018

        Hi Stefanie Cortese,

         

        You have two options:

        • Make the users connect throught a VPN to your on-premises network that the Public IP is in Trusted IP's
        • Disable the MFA Temporary

         

Resources