Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
SOLVED

Enable MFA and Ensure all users registered for MFA actions include shared mailboxes in Secure Secure

Copper Contributor

I am using Secure Score and attempting to complete actions in order to secure my Office 365 environment.

 

It is not possible to require Multi-Factor Authentication for Office 365 Shared Mailboxes as I believe they do not have a username & password, but my Shared Accounts are included in the total reported by the 'Enable MFA for users' and 'Ensure all users are registered for multi-factor authentication' actions in Secure Score.

 

Please could you confirm that not having Multi-Factor Authentication enabled on *shared* mailboxes is not risky, and remove them from the Secure Score rules totals?

4 Replies
I should add - I believe Resource (Room and Equipment) Mailboxes are also counted, and these need to be excluded as well (since they do not support any form of logon, let alone multi-factor).

They do actually have user accounts, but there is no risk involved in not having those protected by MFA. Remember, the secure score is only suggesting some generic best practices/recommendation, Microsoft cannot possibly account for all the different controls and configurations tenants have, so always read the score and the actual recommendation in the context of your own requirements.

 

I do agree though, shared/resource mailboxes and any similar object types should be excluded by default.

best response confirmed by Deleted
Solution
Of course - if the tool excluded objects that don't need MFA though, it would be possible to check that no accounts which *should* have MFA are missing. Given Microsoft seem to be putting this forward as a compliance tool, it shouldn't be responsible for false positives if at all possible!

@Chris Hill Hello Chris,

 

Am stuck at a simillar cross road. I want to enable MFA for shared mailbox. Did you get you way out with a solution. 

Look forward for your reply.

 

Thanks

Munesh

1 best response

Accepted Solutions
best response confirmed by Deleted
Solution
Of course - if the tool excluded objects that don't need MFA though, it would be possible to check that no accounts which *should* have MFA are missing. Given Microsoft seem to be putting this forward as a compliance tool, it shouldn't be responsible for false positives if at all possible!

View solution in original post