Jun 11 2018
07:47 AM
- last edited on
Feb 01 2023
09:37 AM
by
TechCommunityAP
Jun 11 2018
07:47 AM
- last edited on
Feb 01 2023
09:37 AM
by
TechCommunityAP
I want to enable dual auth for Office 365 but I have one issue that will be a challenge, wondering if a conditional access rule would fix it.
We have a group of users that log into others mailboxes for coverage, i.e. PTO, sick, etc.
When a user is out of office, and another user logs into their mailbox via OWA I need to disable multi-factor because the user out of office will not be able to get the text to users who is covering.
So basically I want by default multi-factor but when user is out of office allow someone else to access the users mailbox via OWA without multi-factor.
Jun 11 2018 08:34 AM
You can configure Trusted IP's. Please see how to configure.
https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-mfasettings#trusted... and enter your public IP range there.
Jun 11 2018 08:55 AM
Correct, however some users are remote on a DHCP so hard to manage changes. Any other ideas?
Jun 11 2018 09:04 AM
Solution
You have two options:
Jun 11 2018 09:47 AM
Do these users have the passwords of the person on holiday? That's really a very poor solution as you'll never know who is really who when you look at audit logs and the like. It's really easy for a mailbow owner to add someone else to have full access to their mailbox using their account.
That way everyone stays being themselves, can 2 step authenticate as themselves and still have access to everything.
Jun 11 2018 09:51 AM
I agree with you 100%. There is one add-on business app that does not work under delegated access. So at times, there needs to be a direct sign in.
Jun 11 2018 09:52 AM
I agree with @Steven Collier.
The best approach is to give Full Mailbox permissions to the user regarding the MFA access.
@Stefanie Cortese you can do that in Exchange Online mailbox permissions and keep that audit and can have/must have the 2 users with MFA enabled. And if is not possible, please audit and use VPN.
Jun 11 2018 09:04 AM
Solution
You have two options: