SOLVED

Enable MFA and Ensure all users registered for MFA actions include shared mailboxes in Secure Secure

%3CLINGO-SUB%20id%3D%22lingo-sub-285420%22%20slang%3D%22en-US%22%3EEnable%20MFA%20and%20Ensure%20all%20users%20registered%20for%20MFA%20actions%20include%20shared%20mailboxes%20in%20Secure%20Secure%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-285420%22%20slang%3D%22en-US%22%3E%3CP%3EI%20am%20using%20Secure%20Score%20and%20attempting%20to%20complete%20actions%20in%20order%20to%20secure%20my%20Office%20365%20environment.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIt%20is%20not%20possible%20to%26nbsp%3Brequire%20Multi-Factor%20Authentication%20for%26nbsp%3BOffice%20365%20Shared%20Mailboxes%20as%20I%20believe%20they%20do%20not%20have%20a%20username%20%26amp%3B%20password%2C%20but%20my%20Shared%20Accounts%20are%20included%20in%20the%20total%20reported%20by%20the%20'Enable%20MFA%20for%20users'%20and%20'Ensure%20all%20users%20are%20registered%20for%20multi-factor%20authentication'%20actions%20in%20Secure%20Score.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EPlease%20could%20you%20confirm%20that%20not%20having%20Multi-Factor%20Authentication%20enabled%20on%20*shared*%20mailboxes%20is%20not%20risky%2C%20and%20remove%20them%20from%20the%20Secure%20Score%20rules%20totals%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-286573%22%20slang%3D%22en-US%22%3ERe%3A%20Enable%20MFA%20and%20Ensure%20all%20users%20registered%20for%20MFA%20actions%20include%20shared%20mailboxes%20in%20Secure%20Se%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-286573%22%20slang%3D%22en-US%22%3EOf%20course%20-%20if%20the%20tool%20excluded%20objects%20that%20don't%20need%20MFA%20though%2C%20it%20would%20be%20possible%20to%20check%20that%20no%20accounts%20which%20*should*%20have%20MFA%20are%20missing.%20Given%20Microsoft%20seem%20to%20be%20putting%20this%20forward%20as%20a%20compliance%20tool%2C%20it%20shouldn't%20be%20responsible%20for%20false%20positives%20if%20at%20all%20possible!%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-285499%22%20slang%3D%22en-US%22%3ERe%3A%20Enable%20MFA%20and%20Ensure%20all%20users%20registered%20for%20MFA%20actions%20include%20shared%20mailboxes%20in%20Secure%20Se%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-285499%22%20slang%3D%22en-US%22%3E%3CP%3EThey%20do%20actually%20have%20user%20accounts%2C%20but%20there%20is%20no%20risk%20involved%20in%20not%20having%20those%20protected%20by%20MFA.%20Remember%2C%20the%20secure%20score%20is%20only%20suggesting%20some%20generic%20best%20practices%2Frecommendation%2C%20Microsoft%20cannot%20possibly%20account%20for%20all%20the%20different%20controls%20and%20configurations%20tenants%20have%2C%20so%20always%20read%20the%20score%20and%20the%20actual%20recommendation%20in%20the%20context%20of%20your%20own%20requirements.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI%20do%20agree%20though%2C%20shared%2Fresource%20mailboxes%20and%20any%20similar%20object%20types%20should%20be%20excluded%20by%20default.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-285423%22%20slang%3D%22en-US%22%3ERe%3A%20Enable%20MFA%20and%20Ensure%20all%20users%20registered%20for%20MFA%20actions%20include%20shared%20mailboxes%20in%20Secure%20Se%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-285423%22%20slang%3D%22en-US%22%3EI%20should%20add%20-%20I%20believe%20Resource%20(Room%20and%20Equipment)%20Mailboxes%20are%20also%20counted%2C%20and%20these%20need%20to%20be%20excluded%20as%20well%20(since%20they%20do%20not%20support%20any%20form%20of%20logon%2C%20let%20alone%20multi-factor).%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1843996%22%20slang%3D%22en-US%22%3ERe%3A%20Enable%20MFA%20and%20Ensure%20all%20users%20registered%20for%20MFA%20actions%20include%20shared%20mailboxes%20in%20Secure%20Se%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1843996%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F241232%22%20target%3D%22_blank%22%3E%40Chris%20Hill%3C%2FA%3E%26nbsp%3BHello%20Chris%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAm%20stuck%20at%20a%20simillar%20cross%20road.%20I%20want%20to%20enable%20MFA%20for%20shared%20mailbox.%20Did%20you%20get%20you%20way%20out%20with%20a%20solution.%26nbsp%3B%3C%2FP%3E%3CP%3ELook%20forward%20for%20your%20reply.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%3C%2FP%3E%3CP%3EMunesh%3C%2FP%3E%3C%2FLINGO-BODY%3E
New Contributor

I am using Secure Score and attempting to complete actions in order to secure my Office 365 environment.

 

It is not possible to require Multi-Factor Authentication for Office 365 Shared Mailboxes as I believe they do not have a username & password, but my Shared Accounts are included in the total reported by the 'Enable MFA for users' and 'Ensure all users are registered for multi-factor authentication' actions in Secure Score.

 

Please could you confirm that not having Multi-Factor Authentication enabled on *shared* mailboxes is not risky, and remove them from the Secure Score rules totals?

4 Replies
I should add - I believe Resource (Room and Equipment) Mailboxes are also counted, and these need to be excluded as well (since they do not support any form of logon, let alone multi-factor).

They do actually have user accounts, but there is no risk involved in not having those protected by MFA. Remember, the secure score is only suggesting some generic best practices/recommendation, Microsoft cannot possibly account for all the different controls and configurations tenants have, so always read the score and the actual recommendation in the context of your own requirements.

 

I do agree though, shared/resource mailboxes and any similar object types should be excluded by default.

best response confirmed by Deleted
Solution
Of course - if the tool excluded objects that don't need MFA though, it would be possible to check that no accounts which *should* have MFA are missing. Given Microsoft seem to be putting this forward as a compliance tool, it shouldn't be responsible for false positives if at all possible!

@Chris Hill Hello Chris,

 

Am stuck at a simillar cross road. I want to enable MFA for shared mailbox. Did you get you way out with a solution. 

Look forward for your reply.

 

Thanks

Munesh