SOLVED

Dual Factor Conditional Access

Highlighted
Occasional Contributor

I want to enable dual auth for Office 365 but I have one issue that will be a challenge, wondering if a conditional access rule would fix it. 

 

We have a group of users that log into others mailboxes for coverage, i.e. PTO, sick, etc. 

 

When a user is out of office, and another user logs into their mailbox via OWA I need to disable multi-factor because the user out of office will not be able to get the text to users who is covering. 

 

So basically I want by default multi-factor but when user is out of office allow someone else to access the users mailbox via OWA without multi-factor. 

6 Replies
Highlighted

Hi @Stefanie Cortese,

 

You can configure Trusted IP's. Please see how to configure.

 

https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-mfasettings#trusted... and enter your public IP range there.

Highlighted

Correct, however some users are remote on a DHCP so hard to manage changes. Any other ideas?

Highlighted
Best Response confirmed by Stefanie Cortese (Occasional Contributor)
Solution

Hi @Stefanie Cortese,

 

You have two options:

  • Make the users connect throught a VPN to your on-premises network that the Public IP is in Trusted IP's
  • Disable the MFA Temporary

 

Highlighted

Do these users have the passwords of the person on holiday? That's really a very poor solution as you'll never know who is really who when you look at audit logs and the like. It's really easy for a mailbow owner to add someone else to have full access to their mailbox using their account.

 

That way everyone stays being themselves, can 2 step authenticate as themselves and still have access to everything. 

Highlighted

I agree with you 100%. There is one add-on business app that does not work under delegated access. So at times, there needs to be a direct sign in. 

Highlighted

I agree with @Steven Collier.

 

The best approach is to give Full Mailbox permissions to the user regarding the MFA access.

 

@Stefanie Cortese you can do that in Exchange Online mailbox permissions and keep that audit and can have/must have the 2 users with MFA enabled. And if is not possible, please audit and use VPN.