SOLVED

MFA for one email account with several users

%3CLINGO-SUB%20id%3D%22lingo-sub-2142711%22%20slang%3D%22en-US%22%3EMFA%20for%20one%20email%20account%20with%20several%20users%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2142711%22%20slang%3D%22en-US%22%3E%3CP%3EClient%20runs%20four%20shifts%20with%20support%20staff%20who%20work%20from%20home.%20Each%20group%20of%20four%20team%20members%20has%20a%20single%20365%20mailbox%2C%20and%20usage%20passes%20from%20one%20team%20member%20to%20another%20as%20the%20shifts%20change.%20For%20each%20group%2C%20client%20wants%20to%20implement%202FA%20with%20Authenticator%20on%20the%20phones%20of%20each%20team%20member%2C%20i.e.%20four%20phones%20authenticating%20one%20email%20account.%20But%20this%20used%20to%20be%20barred%20for%20business%20(%E2%80%98work%20and%20school%E2%80%99)%20accounts.%20%26nbsp%3B%3C%2FP%3E%3CP%3EDAK%20what%20is%20the%20current%20position%20(and%20is%20this%20documented%20anywhere%3F)%2C%20and%20if%20it%20is%20still%20barred%20what%20is%20the%20best%20way%20forward%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2142711%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAuthentication%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIdentity%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2145752%22%20slang%3D%22en-US%22%3ERe%3A%20MFA%20for%20one%20email%20account%20with%20several%20users%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2145752%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F627637%22%20target%3D%22_blank%22%3E%40Decomplexity%3C%2FA%3E%26nbsp%3Bgood%20morning.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYou%20can%C2%B4t%20by%20security%20design.%20Even%20you%20can%20set%20up%20multiple%20MFA%20instances%2C%20you%20need%20to%20decide%20which%20is%20the%20default%20MFA%20method.%20Maybe%20you%20can%20change%20the%20way%20MFA%20sends%20you%20the%20code%20like%20a%20shared%20mailbox%20accessed%20by%20serveral%20users%2C%20but%20very%20less%20secure.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAnother%20Idea%20is%20app%20password.%20I%20don%C2%B4t%20know%20which%20is%20your%20current%20configuration%20%2Cbut%20if%20you%20are%20accessing%20by%20web%20app%20to%20the%20exchange%2C%20you%20have%20more%20limitations.%20With%20App%20password%20you%20can%20configure%20Outlook%20App%20client%20directly.%20Also%2C%20you%20can%20limit%20access%20mailbox%20by%20IP%20address.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20hope%20this%20can%20help%20you.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EGood%20luck!%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2147059%22%20slang%3D%22en-US%22%3ERe%3A%20MFA%20for%20one%20email%20account%20with%20several%20users%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2147059%22%20slang%3D%22en-US%22%3E%3CP%3EThx%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F388884%22%20target%3D%22_blank%22%3E%40Pablomcse%3C%2FA%3E%3C%2FP%3E%3CP%3EIt%20is%20clearly%20helps%20traceability%20to%20have%20only%20one%20Authenticator%20registration%20per%20email%20account.%20We%20looked%20at%20the%20more%20elegant%20solution%20of%20converting%20the%20present%20support%20mail%20accounts%20(one%20for%20each%20group%20of%20four)%20to%20shared%20mail%20accounts%20but%20this%20entails%20adding%20three%20chargeable%20licences%20per%20shared%20mailbox%20(i.e.%20per%20group)%20and%20there%20are%20many%20groups!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHowever%2C%20when%20we%20were%20prototyping%20the%20steps%20involved%20in%20converting%20a%20group%20mailbox%20to%20such%20a%20shared%20mailbox%2C%20we%20observed%20that%20the%20MFA%20%E2%80%98enable%E2%80%99%20screen%20that%20lists%20all%20the%20mailboxes%20(with%20Display%20name%20%2F%20User%20name%20%2F%20Multifactor%20authentication%20status)%20displays%20shared%20mailboxes%20as%20well%20as%20%E2%80%98normal%E2%80%99%20ones.%20DAK%20the%20purpose%20of%20this%20since%20a%20shared%20mailbox%20cannot%20be%20logged%20on%20to%20directly%20but%20only%20entered%20via%20one%20of%20the%20members%20assigned%20to%20it%20(which%20in%20turn%20was%20logged%20on%20with%20its%20own%20credentials%20and%20MFA)%20%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

Client runs four shifts with support staff who work from home. Each group of four team members has a single 365 mailbox, and usage passes from one team member to another as the shifts change. For each group, client wants to implement 2FA with Authenticator on the phones of each team member, i.e. four phones authenticating one email account. But this used to be barred for business (‘work and school’) accounts.  

DAK what is the current position (and is this documented anywhere?), and if it is still barred what is the best way forward?

3 Replies

Hi @Decomplexity good morning. 

 

You can´t by security design. Even you can set up multiple MFA instances, you need to decide which is the default MFA method. Maybe you can change the way MFA sends you the code like a shared mailbox accessed by serveral users, but very less secure. 

 

Another Idea is app password. I don´t know which is your current configuration ,but if you are accessing by web app to the exchange, you have more limitations. With App password you can configure Outlook App client directly. Also, you can limit access mailbox by IP address.

 

I hope this can help you. 

 

Good luck! 

Thx @Pablomcse

It is clearly helps traceability to have only one Authenticator registration per email account. We looked at the more elegant solution of converting the present support mail accounts (one for each group of four) to shared mail accounts but this entails adding three chargeable licences per shared mailbox (i.e. per group) and there are many groups!

 

However, when we were prototyping the steps involved in converting a group mailbox to such a shared mailbox, we observed that the MFA ‘enable’ screen that lists all the mailboxes (with Display name / User name / Multifactor authentication status) displays shared mailboxes as well as ‘normal’ ones. DAK the purpose of this since a shared mailbox cannot be logged on to directly but only entered via one of the members assigned to it (which in turn was logged on with its own credentials and MFA) ?

best response confirmed by Decomplexity (Occasional Contributor)
Solution

Hi @Decomplexity 

 

You can add multiple authenticator app 'instances' on a single account. If you decide to go the push notification way, be aware all registered authenticator apps for that account will get the notification which is something you may wish to avoid.

In that case choose to go the app with code direction. Here you have the choice to have all four devices share the same 'instance' (the 6 digit code will be the same on all devices) or you can create a separate instance for each phone (each 6 digit code will be different). The latter being more secure.

 

You can find some more detailed information here (article is from 2019 so the screenshots are from the 'old' registration experience but the principle is still valid.

Using multiple authenticator apps with a single Microsoft 365 user account – CIAOPS