How do baseline MFA polices affect service mailboxes?
I have mulitple mailboxes setup for services (security reports, helpdesk tickets, etc). How are they going to be affected by baseline polices? Do I have to setup app passwords for each of them? Two of the mailboxes are tied into my desktop Outlook client.
After attending one of their webinars on the subject there is one other option, although still not great.
Technically an account that has never done an interactive authentication is treated as a 'service account' according to MS.
The one's you have signed into, like the ones connected to Outlook are already out of luck.
But if you have some that are just mail-relay's that never need to be directly logged into and just need to pass mail back and forth, those should be ignored by the site-wide MFA enforcement.
Technically this is how Azure AD sync works from a local domain up to O365 - and how it is able to keep working despite MFA/login enforcements.
So any that you have logged into but you could go without forver forward, likely means you would need to recreate them. But, at least in our case, that'd be a worthile tradeoff in some scenerios, not all, but its a start.
If you are using the baseline policies from the conditional access screen then App-Passwords won't work. You need to set-up MFA per user and then create the App-Password for it to function.
I'm not having alot of luck with it myself for a similar setup but I believe it depends on how the client authentication is made. If Modern Authentication is forced then I think app-passwords won't work either.
I'm not sure if it's related but I was looking around for a workaround and I came upon Apps doing basic authentication against 'outlook.office365.com' so I was hopeful I could get the App-Passwords to work with that however it seems this will stop working as well in 2020...