Organizational Microsoft 365 accounts and Duo multi-factor authentication
Multi-Factor Authentication (MFA) occurs when you are granted access after successfully presenting two or more pieces of evidence to validate your identity. On occasion, an org account may also be a shared account. This applies to both NetID-based mailboxes and Exchange-only mailboxes.
Shared Account with Delegated Permissions
If permissions have been delegated, there is no change. You and other delegated users accessing the shared resource would satisfy Duo requirements as you would normally with your primary account. Examples of shared accounts with delegated permissions are: (full-access/send-as/send-on-behalf for mailboxes).
Shared Account with Shared Credentials
In a shared account with shared credentials multiple users’ access the account with the same login information. This is not recommended, and it is more complicated. In this scenario, after Duo multi-factor authentication has been applied to the shared account, the first person to use the account would go through the Duo registration process and add a phone number, device, etc. Subsequent users needing to access the account with the same credentials, would need to coordinate with the first user to have an additional phone number or device added to Duo (currently limited to 100 devices). After initial configuration of each users’ details, they would need to be sure to choose their device from the Device drop-down when authenticating.
Removing a phone number when someone leaves
When you need to remove a phone number/device from a shared account protected by Duo, anyone with current access to the shared account can make these changes in Duo by selecting Settings & Devices.