MFA Activation for Shared Email Address

2020-06-29T03:45:42.367+00:00

Dear All,

I am in the midst of enabling MFA for my environment but we come across a challenge in enabling MFA for shared email addresses in our domain.
The email is shared by multiple people working on shift. To register one phone number for TAC sending purposes would be very inconvenient.

Is there any other way to enable MFA for shared email?

Microsoft Security | Microsoft Entra | Microsoft Entra ID
{count} vote

5 answers

Sort by: Most helpful
  1. Vasil Michev 119.6K Reputation points MVP Volunteer Moderator
    2020-06-29T17:42:40.523+00:00

    Well, shared mailboxes aren't supposed to be accessed directly, instead you grant user's Full access and they use their own credentials. Thus if MFA is needed/enforced, the users perform the challenge against their own accounts.

    Logging into a shared mailbox with its own credentials is against the licensing terms.

    3 people found this answer helpful.

  2. Eugene 5 Reputation points
    2023-06-23T12:24:44.34+00:00

    Why does Microsoft list out shared mailboxes in the https://account.activedirectory.windowsazure.com/UserManagement/MultifactorVerification.aspx page and allows us to enable/disable MFA on shared mailboxes, if shared mailboxes shouldn't have MFA? Any ideas?

    1 person found this answer helpful.
    0 comments No comments

  3. Sander Berkouwer 166 Reputation points
    2020-06-29T06:08:40.19+00:00

    Your best approach would be to create a resource mailbox.
    Then, for each person that needs to access the resource mailbox, you'd create a user mailbox. You can assign each user mailbox with owner permissions to the resource mailbox. In the Outlook experience for each of these users (Outlook Mobile, Outlook on the web or the Office Outlook application) the resource mailbox would then automatically show up as an additional mailbox.

    From my experience, shared mailboxes and shared accounts are common in retail scenarios, where the additional licensing for F1 or E1 licensing is a significant burden, but it's the best approach forward.

    Although still in preview, you can also specify a FIDO2 security key for the shared mailbox. This offers a solution for accounts that are shared in one physical location. Then, you'd share the PIN with each of the persons that need to access the account. FIDO2 authentication with PIN satisfies the multi-factor authentication requirements for Conditional Access, too.


  4. Yoram 1 Reputation point
    2022-12-06T12:48:13.663+00:00

    This is somehow an issue for me as well, we use shared mailboxes company wide, but all our employees have searching issues in (365) Shared mailboxes.
    Our solution to this issue was adding the shared mailbox as a user in Outlook (and removing mailbox delegations, as Outlook "Can't open this folder" if a user mailbox is added, which conflicts with the shared mailbox..

    0 comments No comments

  5. Zoe Sun 1 Reputation point
    2022-12-16T22:12:37.877+00:00

    To help anyone else. I just had to disable the Security Defaults after all my users had used MFA on their phones, due to ONE account that is used for a cloud based app and could not have that configured. So I then disabled it, went into 365 Admin and re-enabled.

    ALL your users will get prompted to do reapprove when they go try to login to email, including Outlook on desktop. There was a comment here or in another post, that bc they had at one time authenticated, when you reenable they wont be prompted. That is not the case.

    Either way, this seems to be the only way to still utilize MFA, not upgrade to P1 (if you only have one account that needs an exception) is to disable security defaults then re-enable in 365 Admin. This will need to be configured for each new user. Conditional Access is only available for P1 subscriptions. Too expensive for a company solely bc of one box to pay for that.

    Hope this helps.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.