Shared accounts create a specific MFA problem that organizations frequently encounter and do not immediately know how to solve. When multiple people need to sign in to the same account, the standard MFA setup that sends a notification to one person's phone does not work. Here are the options.
The Problem With Single-Person MFA on Shared Accounts
A shared account with MFA tied to one individual's phone creates two problems. First, every time anyone needs to sign in, they must interrupt the phone owner to approve the request. Second, when that person leaves the organization or changes their phone number, MFA for the shared account breaks entirely.
The response is often to disable MFA on shared accounts, which creates a security gap. Shared accounts without MFA are an attractive target because they tend to have broad access and their sign-in activity is harder to attribute to any individual.
Option 1: Microsoft Authenticator With Multiple Registrations
The Microsoft Authenticator app allows a single account to be registered on up to five devices simultaneously. This means up to five people can each have the shared account configured in their Authenticator app and can independently approve sign-in requests.
This approach works well for small teams with consistent membership. Each person adds the shared account to their Authenticator app during setup, and any of them can approve future sign-ins without depending on one specific person.
Option 2: Multiple MFA Methods
Microsoft 365 accounts can have multiple MFA methods registered, and not all of them require a smartphone. Methods that work for shared access scenarios include:
- Authenticator app (up to 5 devices): As described above
- Phone call to a shared landline: A desk phone accessible to multiple team members can receive MFA calls
- Hardware FIDO2 security key: A physical key that lives with the shared workstation or in a shared location that authorized users can access
- Email OTP to a monitored shared mailbox: A one-time code sent to a shared mailbox that multiple people can access
The Better Long-Term Solution: Eliminate Shared Accounts
Where possible, the right answer to shared account MFA problems is to replace shared accounts with individual accounts and appropriate permission sharing. Microsoft 365 has tools for this: shared mailboxes allow multiple people to read and send from the same address without sharing a login credential, and SharePoint permissions allow access to shared resources without requiring a shared account.
Individual accounts are more secure, easier to audit, and simpler to manage when someone joins or leaves the organization. Shared accounts also make it impossible to determine which individual was responsible for a given action, which creates compliance and investigation challenges when something goes wrong.
When a shared account is genuinely necessary, registering multiple Authenticator app instances or a hardware security key provides MFA coverage that does not create a single point of failure.
