We're managing a Microsoft shared account that's accessed by several users on different workstations, and we're trying to improve security by implementing Multi-Factor Authentication (MFA). Currently, MFA is set up with a central phone number, and the account can bypass MFA when within an approved network, thanks to our Conditional Access policy with an IP whitelist. However, individual accounts for each user aren't an option right now, and we recognize that shared accounts aren't ideal. We bought YubiKeys to enhance security, but each Microsoft account can only handle 10 YubiKeys, which won't be enough for all our workstations. Our idea now is to create duplicate accounts to pair with individual YubiKeys, but we're aware this will cause issues—like syncing emails, OneDrive, and other essential features. The users are not tech-savvy and have been accustomed to the current method for years, making change difficult. We need advice on how to implement the best security measures without causing too much disruption, given the limitations we're facing.
1 Answer
Yeah, shared accounts in any context where there are multiple users are risky. Since this shared account situation is getting out of hand, you should really prioritize moving to individual usernames or at least secure the current shared account with tight access controls. It's crucial to think about compliance issues too—it could cause bigger problems for you later with audits and data laws.
Right! The legal implications can be rough if there’s a breach connected to a shared account.