Office365: DUO & Guest EID Mailboxes
When two factor authentication (2FA) becomes a requirement for logging in to an email account, it will no longer be possible to log into Guest EID mailboxes. Due to affiliation, Guest EIDs are not eligible to register for DUO and will receive the error "Access Denied. The username you have entered cannot authenticate with Duo Security. Please contact your system administrator."
Shared resource mailboxes rather than Guest EID mailboxes should be used instead. Users who need access to the shared mailbox should be granted full access rights. Users who need to send as the mailbox should be granted send-as rights. Once these rights are in place, a user needing to access a shared mailbox would first log in with his or her own EID (including performing 2FA), and then open the shared mailbox. TSC's can manage shared mailboxes using the Office 365 Resource Admin Tool.
In addition to allowing 2FA, logging in this way provides better accountability. Since each person logs in with his or her own EID, it is easier to determine who performed a particular action while reviewing audit logs. Also, logging in this way will not interfere with Outlook’s ability to synchronize the mailbox across multiple devices.
A disadvantage to this approach is that it isn’t possible to open a shared mailbox via most mobile email clients. Exchange ActiveSync (EAS), the protocol used by most mobile clients, does not allow the same credentials to be used on more than one account. And while some mobile clients use Exchange Web Services (EWS), rather than EAS, and EWS itself does not have this limitation, all such clients tested by ITS nevertheless enforce this restriction. But Outlook Web App works on mobile devices, and can be used to access shared mailboxes.
Finally, it is worth pointing out that having multiple people share credentials for a single EID, guest or otherwise, is against university policy. ITS Systems has been working to eliminate all mailboxes based on guest EIDs for precisely this reason.
If you have mailboxes based on guest EIDs, please contact the ITS email team at firstname.lastname@example.org to arrange to have them converted to shared resource mailboxes or to discuss other alternatives. We are finalizing a process to automate the conversion and hope to have something in place very soon.