Forum Discussion
Enable MFA and Ensure all users registered for MFA actions include shared mailboxes in Secure Secure
I am using Secure Score and attempting to complete actions in order to secure my Office 365 environment.
It is not possible to require Multi-Factor Authentication for Office 365 Shared Mailboxes as I believe they do not have a username & password, but my Shared Accounts are included in the total reported by the 'Enable MFA for users' and 'Ensure all users are registered for multi-factor authentication' actions in Secure Score.
Please could you confirm that not having Multi-Factor Authentication enabled on *shared* mailboxes is not risky, and remove them from the Secure Score rules totals?
- Of course - if the tool excluded objects that don't need MFA though, it would be possible to check that no accounts which *should* have MFA are missing. Given Microsoft seem to be putting this forward as a compliance tool, it shouldn't be responsible for false positives if at all possible!
4 Replies
Chris Hill Hello Chris,
Am stuck at a simillar cross road. I want to enable MFA for shared mailbox. Did you get you way out with a solution.
Look forward for your reply.
Thanks
Munesh
- I should add - I believe Resource (Room and Equipment) Mailboxes are also counted, and these need to be excluded as well (since they do not support any form of logon, let alone multi-factor).
They do actually have user accounts, but there is no risk involved in not having those protected by MFA. Remember, the secure score is only suggesting some generic best practices/recommendation, Microsoft cannot possibly account for all the different controls and configurations tenants have, so always read the score and the actual recommendation in the context of your own requirements.
I do agree though, shared/resource mailboxes and any similar object types should be excluded by default.
- Of course - if the tool excluded objects that don't need MFA though, it would be possible to check that no accounts which *should* have MFA are missing. Given Microsoft seem to be putting this forward as a compliance tool, it shouldn't be responsible for false positives if at all possible!
