Dual Factor Conditional Access

Occasional Contributor

I want to enable dual auth for Office 365 but I have one issue that will be a challenge, wondering if a conditional access rule would fix it. 


We have a group of users that log into others mailboxes for coverage, i.e. PTO, sick, etc. 


When a user is out of office, and another user logs into their mailbox via OWA I need to disable multi-factor because the user out of office will not be able to get the text to users who is covering. 


So basically I want by default multi-factor but when user is out of office allow someone else to access the users mailbox via OWA without multi-factor. 

6 Replies

Hi @Stefanie Cortese,


You can configure Trusted IP's. Please see how to configure. and enter your public IP range there.


Correct, however some users are remote on a DHCP so hard to manage changes. Any other ideas?

Best Response confirmed by Stefanie Cortese (Occasional Contributor)

Hi @Stefanie Cortese,


You have two options:

  • Make the users connect throught a VPN to your on-premises network that the Public IP is in Trusted IP's
  • Disable the MFA Temporary



Do these users have the passwords of the person on holiday? That's really a very poor solution as you'll never know who is really who when you look at audit logs and the like. It's really easy for a mailbow owner to add someone else to have full access to their mailbox using their account.


That way everyone stays being themselves, can 2 step authenticate as themselves and still have access to everything. 


I agree with you 100%. There is one add-on business app that does not work under delegated access. So at times, there needs to be a direct sign in. 


I agree with @Steven Collier.


The best approach is to give Full Mailbox permissions to the user regarding the MFA access.


@Stefanie Cortese you can do that in Exchange Online mailbox permissions and keep that audit and can have/must have the 2 users with MFA enabled. And if is not possible, please audit and use VPN.