MFA for an individual account converted to a shared account

%3CLINGO-SUB%20id%3D%22lingo-sub-2171622%22%20slang%3D%22en-US%22%3EMFA%20for%20an%20individual%20account%20converted%20to%20a%20shared%20account%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2171622%22%20slang%3D%22en-US%22%3E%3CP%3EIf%20a%20Microsoft%20365%20Business%20individual%20account%20that%20has%20MFA%20enabled%20is%20converted%20to%20a%20shared%20account%2C%20does%20the%20shared%20account%20inherit%20the%20MFA%20settings%20(are%20they%20are%20technically%20still%20operable%20on%20the%20%E2%80%98anchor%E2%80%99%20account%20from%20which%20it%20came%3F)%3CBR%20%2F%3EAnd%20since%3A%3CBR%20%2F%3EAdmin%20Center%20%3D%26gt%3B%20Org%20Settings%20%3D%26gt%3B%20Multi-factor%20authentication%20%3D%26gt%3B%20Configure%20Multi-factor%20authentication%3CBR%20%2F%3Elists%20shared%20accounts%20as%20well%20as%20individual%20accounts%2C%20how%20is%20a%20shared%20account%20used%20with%20MFA%20since%20its%20automatic%20and%20hidden%20password%20is%20never%20used%20to%20log%20on%20(i.e.%20the%20linked%20individual%20accounts%20log%20on%20with%20MFA%20instead)%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2171622%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAuthentication%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIdentity%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2174738%22%20slang%3D%22en-US%22%3ERe%3A%20MFA%20for%20an%20individual%20account%20converted%20to%20a%20shared%20account%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2174738%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F627637%22%20target%3D%22_blank%22%3E%40Decomplexity%3C%2FA%3E%26nbsp%3BI%20don't%20have%20the%20answer%20to%20your%20question%20but%20I%20do%20have%20a%20suggestion.%26nbsp%3B%20Block%20the%20logon%20to%20the%20shared%20accounts.%26nbsp%3B%20Delegates%20can%20still%20access%20the%20account.%26nbsp%3B%20Blocking%20the%20logon%20removes%20it%20from%20the%20list%20of%20MFA%20accounts.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

If a Microsoft 365 Business individual account that has MFA enabled is converted to a shared account, does the shared account inherit the MFA settings (are they are technically still operable on the ‘anchor’ account from which it came?)
And since:
Admin Center => Org Settings => Multi-factor authentication => Configure Multi-factor authentication
lists shared accounts as well as individual accounts, how is a shared account used with MFA since its automatic and hidden password is never used to log on (i.e. the linked individual accounts log on with MFA instead)?

3 Replies

@Decomplexity I don't have the answer to your question but I do have a suggestion.  Block the logon to the shared accounts.  Delegates can still access the account.  Blocking the logon removes it from the list of MFA accounts. 

Indeed yes. We block shared accounts logons by default, and it may be breaking MSFT's EULA to permit logons unless the shared account were licensed.
A Shared Account (Shared Mailbox I'm assuming) should not be logged into using username and password and as stated here it will be disabled by default. It is also not licensed for logon or MFA. A shared mailbox should never be given to users as credentials to log in, instead, delegate the access to the account through Exchange to named accounts with MFA enabled on them.

They show up in the MFA page as they are just another entry in your directory but they should be disabled and no requirement or license for MFA on these accounts.