MFA for an account that is converted to a shared account

Max Stewart 1 Reputation point
2021-02-27T21:52:36.48+00:00

If a Microsoft 365 Business individual account that has MFA enabled is converted to a shared account, does the shared account inherit the MFA settings (are they are technically still operable on the ‘anchor’ account from which it came?)
And since:
Admin Center => Org Settings => Multi-factor authentication => Configure Multi-factor authentication
lists shared accounts as well as individual accounts, how is a shared account used with MFA since its automatic and hidden password is never used to log on (i.e. the linked individual accounts log on with MFA instead)?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,466 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. James Westall 161 Reputation points
    2021-02-28T02:27:50.703+00:00

    Hey @Max Stewart

    Assuming you are referencing shared mailboxes here.

    Exchange needs to store data about the mailbox in question and has always used Azure AD/ ADDS to do this via attributes.
    As such, you technically can log into these mailbox and this is sometimes a requirement for services to integrate with your mail service.
    Logging in like so isn't a desired scenario and application of MFA should occur against the user account who is accessing the shared mailbox.

    From the About Shared mailboxes page:

    "A shared mailbox is not intended for direct sign-in by its associated user account. You should always block sign-in for the shared mailbox account and keep it blocked."

    See the following links for more detail:

    Block Sign-in for the shared mailbox account

    Shared Mailbox enabled & login enabled

    0 comments
  2. Max Stewart 1 Reputation point
    2021-02-28T10:11:42.533+00:00

    Thanks James.
    We have used shared mailboxes for some time but always set them up from scratch and have never converted one from an individual account that had MFA. Our users have always accessed them via their own individual MFA-enabled licensed accounts. However, since a shared-account password (without a password change by Admin) is hidden, and the logon process is transparent to the user (as in e.g. Windows Outlook where the mailbox appears as just another mailbox but one that is annexed to the user principal mailbox under 'open these additional mailboxes'), it is unclear how MFA would operate with such a mailbox since there is no overt logon to trigger an MFA event.
    The last link you sent is of particular interest - I hadn't seen that one before.

    0 comments