I'm facing a challenge with an external organization we're working with that requires multi-factor authentication (MFA) via email for logging in. While it works smoothly for our internal team, we have a subcontractor who manages this task after hours. Right now, it's just one person, but it could expand later. The catch is that the external organization only sends MFA codes to our domain, which means our subcontractor can't use their company email for access. This subcontractor only needs to receive these codes and won't be sending emails from our domain.
I initially thought about using Exchange Online Plan 1, Entra ID Plan 1, and Defender for Office Plan 1 to ensure email protection and conditional access with MFA, but that seems a bit overboard just to receive an MFA code.
I'm exploring options like:
- Setting up a forwarding rule from mfa@externalorganization to subcontractor@mydomain and then to subcontractor@theirdomain.
- Creating a shared mailbox to collect emails sent to subcontractor@mydomain, which could later forward those to subcontractor@theirdomain.
- Adding a contact in Exchange for subcontractor@theirdomain and linking it to subcontractor@mydomain.
Has anyone dealt with something similar and have suggestions for a more efficient solution?
5 Answers
I think a forwarding rule or a shared mailbox is your best bet. A forwarding rule can be set up quickly, but it might become hard to manage if your team grows. A shared mailbox may have a higher initial cost, but it’s much easier to audit and manage down the line. You can revoke access anytime through the admin portal, which is a plus. Just keep in mind that if your subcontractor ever needs to reply to tickets, a distribution list might not cut it since they wouldn't be able to send emails from your domain.
That method should definitely still work! Check this link on forwarding Office 365 emails to external addresses without a mailbox, if you need a guide: https://4it.com.au/kb/article/how-to-forward-office-365-email-address-to-external-address-without-a-mailbox/. I haven’t tested it in a while, but it might be helpful!
Creating a distribution group sounds like a solid plan. You can add your subcontractor as a contact in that group, allowing them to use it for MFA emails. This setup makes it easy to add more users in the future if needed, especially if they share access to certain tools with others.
One effective approach would be to create a distribution list with just your subcontractor as the recipient. Make sure it can receive external mail and create a contact for the contractor's email. This way, you can add more subcontractors in the future if needed. Setting up a shared mailbox might seem tempting, but it could actually complicate things unnecessarily since you won’t need to retain those emails. Plus, it helps you avoid the hassle of M365's rules against external forwarding. This method is common practice among MSPs for managing third-party apps without extra licensing issues.
You might want to consider establishing a B2B trust that recognizes their MFA as a valid authentication method. This can simplify the process and bypass the additional MFA prompt that your subcontractor is running into. It's a good solution to explore!
Absolutely, that one-off relay tactic is a game changer! It's so simple and clean.