Pointing Microsoft login to itself with SSO

Dani Abouhamad 0 Reputation points
2024-03-15T12:27:11.9+00:00

Hello,

I am trying something quite unique.

I created a mailbox with the sole purpose of being shared. I will give everyone the username and password. No a shared mailbox will not work for my use case.

The behavior I want: when someone signs into this account, they are then prompted with a second signin screen (like you see when you sign into something via SSO). That second authentication is for that user's individual account.

So basically I want someone to have to authenticate into one Outlook account through another Outlook account. Can this be done?

I feel like this can be done if you can point your Outlook to an SSO provider, and use my own Azure tenant as that provider. Maybe there's a way with MFA I cannot figure out.

Thanks

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,443 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. James Hamil 21,546 Reputation points Microsoft Employee
    2024-03-15T22:49:13.9666667+00:00

    Hi @Dani Abouhamad , while this is an interesting use case, it may not be possible to achieve exactly as you described but we can try some things.

    Here are some options you can consider:

    1. Use Azure AD B2B collaboration: You can invite external users to your Azure AD tenant as guest users and grant them access to the shared mailbox. When they sign in to the shared mailbox, they will be prompted to authenticate using their own credentials. This is not exactly the two-step authentication process you described, but it achieves a similar result.
    2. Use Azure AD Application Proxy: You can publish the shared mailbox as an application using Azure AD Application Proxy. When users access the shared mailbox through the published application, they will be prompted to authenticate using their own credentials. This is similar to the Azure AD B2B collaboration option, but it requires more setup.
    3. Use a third-party SSO provider: You can use a third-party SSO provider like Okta or OneLogin to achieve the two-step authentication process you described. You would need to configure the shared mailbox as an application in the SSO provider and configure the individual accounts as users in the SSO provider. When users sign in to the shared mailbox, they would be redirected to the SSO provider for authentication and then redirected back to the shared mailbox. This option requires the most setup and may not be feasible depending on your requirements.

    Please let me know if you have any questions and I can help you further.

    If this answer helps you please mark "Accept Answer" so other users can reference it.

    Thank you,

    James

    0 comments No comments