All articles
CybersecurityMFAMicrosoft 365

Solving Shared Account Access With Multiple MFA Methods

Regroove IT Consulting5 min read580 words

Shared accounts create a specific MFA problem that organizations frequently encounter and do not immediately know how to solve. When multiple people need to sign in to the same account, the standard MFA setup that sends a notification to one person's phone does not work. Here are the options.

The Problem With Single-Person MFA on Shared Accounts

A shared account with MFA tied to one individual's phone creates two problems. First, every time anyone needs to sign in, they must interrupt the phone owner to approve the request. Second, when that person leaves the organization or changes their phone number, MFA for the shared account breaks entirely.

The response is often to disable MFA on shared accounts, which creates a security gap. Shared accounts without MFA are an attractive target because they tend to have broad access and their sign-in activity is harder to attribute to any individual.

Option 1: Microsoft Authenticator With Multiple Registrations

The Microsoft Authenticator app allows a single account to be registered on up to five devices simultaneously. This means up to five people can each have the shared account configured in their Authenticator app and can independently approve sign-in requests.

This approach works well for small teams with consistent membership. Each person adds the shared account to their Authenticator app during setup, and any of them can approve future sign-ins without depending on one specific person.

Option 2: Multiple MFA Methods

Microsoft 365 accounts can have multiple MFA methods registered, and not all of them require a smartphone. Methods that work for shared access scenarios include:

  • Authenticator app (up to 5 devices): As described above
  • Phone call to a shared landline: A desk phone accessible to multiple team members can receive MFA calls
  • Hardware FIDO2 security key: A physical key that lives with the shared workstation or in a shared location that authorized users can access
  • Email OTP to a monitored shared mailbox: A one-time code sent to a shared mailbox that multiple people can access

The Better Long-Term Solution: Eliminate Shared Accounts

Where possible, the right answer to shared account MFA problems is to replace shared accounts with individual accounts and appropriate permission sharing. Microsoft 365 has tools for this: shared mailboxes allow multiple people to read and send from the same address without sharing a login credential, and SharePoint permissions allow access to shared resources without requiring a shared account.

Individual accounts are more secure, easier to audit, and simpler to manage when someone joins or leaves the organization. Shared accounts also make it impossible to determine which individual was responsible for a given action, which creates compliance and investigation challenges when something goes wrong.

When a shared account is genuinely necessary, registering multiple Authenticator app instances or a hardware security key provides MFA coverage that does not create a single point of failure.

Regroove IT Consulting

Microsoft Solutions Partner specializing in Managed IT Services and Modern Work, covering Microsoft 365, Teams, SharePoint, Power Platform, and Azure. Helping organizations everywhere get lasting value from their Microsoft investment since 1993.

About Regroove →

Need help with your Microsoft environment?

We work with organizations everywhere. Tell us where you are and what you're trying to solve.

Talk to Regroove