IT Professionals:
On Thursday, 9/23/2021, IU Exchange Administrators made a change to Exchange Online in preparation of the retirement of Basic Authentication in Microsoft 365 [1]. As an unintended consequence, clients may see DUO prompts for group accounts when using an email client capable of Modern Authentication, as well as an error “Access is not allowed because you are not enrolled.” [2]
A full rollback of the change is not feasible and would cause greater disruption. Administrators have implemented a partial exemption to give Exchange Online users more time to adjust their usage of Exchange Online. This exemption covers any group account that has not been enrolled in DUO.
For any group account that has been enrolled in Duo, clients should authenticate using DUO when prompted. If an account has DUO configured but an individual is not registered with DUO for that account, they should reach out to the account owner for enrollment [3]. To resolve the “you are not enrolled” error, the account needs to be enrolled with DUO.
Modern Authentication will be required for all Exchange Online accounts starting October 1, 2021. To avoid authentication challenges, it is recommended that you consider utilizing Full Access Send-As (FASA) permissions for group account mailboxes [4]. FASA permissions allow you to authenticate to a group account leveraging your individual user account’s credentials and DUO, instead of needing the full credentials and DUO for the group account itself [5].
To request FASA permissions on a group account you may either follow the directions in the KB article [6] or follow these steps: create an AD group, populate its membership, and submit a request to SCT2@iu.edu indicating that the owner of the account wants Full Access, Send-As, or both permissions.
–IT Community Partnerships on behalf of Enterprise Microsoft Administration
[1] Basic Authentication and Exchange Online – February 2021 Update https://techcommunity.microsoft.com/t5/exchange-team-blog/basic-authentication-and-exchange-online-february-2021-update/ba-p/2111904
[2] Status.IU: https://status.uits.iu.edu/notice/50062
[3] Account Owner Lookup: https://tools.cci.iu.edu/#/ (On-campus or VPN Connection Required)
[4] Full Access Send-As Permission Overview: https://docs.microsoft.com/en-us/exchange/recipients/mailbox-permissions?view=exchserver-2019
[5] Use Two-Step Login (Duo) with a group account: https://kb.iu.edu/d/aobp
[6] INTERNAL (itpro, uits): How IT Pros can request full mailbox and send-as permissions to an Exchange mailbox: https://kb.iu.edu/d/bdet