Live now: Board of Curators meeting

UM System

Resource Account Conversion to Shared Accounts

What's happening to Resource Accounts?

 

A resource account is an identity assigned to a department as required for a specific business function or task that does not meet the criteria for a service, person, admin or guest identity affiliation.  

Resource accounts allow multiple users to login with the same user ID and password.  Since this practice is a security risk, all resource accounts are being converted to shared accounts.

Upon creation, shared accounts include the user IDs of the users that need access to the account.  Shared accounts are more secure since users do not need to login or share login information.  This solution allows users to be added or deleted from shared accounts more easily.

For shared accounts enabled for Zoom and other applications:

  • Users sign in once with their organizational account. This account is the same one they regularly use to access their desktop or email.
  • Users can discover and access only those applications that they are assigned to. 
  • Using email addresses, a list of applications can include any number of shared credentials with shared accounts.

Enabled shared accounts will be setup with Multi-factor Authentication (MFA) and CANNOT be disabled.  

Multi-factor authentication is a process where a user is prompted during the sign-in process for an additional form of identification, such as to enter a code on their cellphone or to provide a fingerprint scan.

Each user who needs access to the enabled shared account will have to use the Microsoft Authenticator application or a key generator device (like Yubikey) to access the account. There can only be two phone numbers on the account, so any other devices will have to use the authenticator application.

If you need a shared account enabled for applications, you will need to contact your IT Pro.

For step by step instructions, check out these tutorials on Microsoft Stream:

Adding other devices for authentication

Mobile App:

The following application can be downloaded from your device’s application store:

**The easiest way to register the mobile app is by using your computer as well as your mobile device. **

  • Apple: Microsoft Authentication
  • Android: Microsoft Authentication
  • Blackberry: Microsoft Authentication

To use the app, follow these instructions:

  1. Download and follow prompts on the installer. Note: In order to use some of the authorization features, you must have your notifications enabled for the application on your device.
  2. Click Add Account
  3. Select Work or School Account - This will ask to allow the use of your camera so it may scan a QR code
  4. Go to https://mysignins.microsoft.com or Manage MFA Settings tile
  5. Select + Add Method
  6. Choose Authenticator App
  7. Select Confirm
  8. It will prompt to set up your account - Select Next
  9. The QR code should appear on the screen where you can scan it from the app
  • If you cannot scan the image you can select "Can't scan image" below the QR code which will show you a URL you will need to enter on the app.
  • Once the code is scanned click "Next" on your computer
  • The computer will send a notification to your mobile device - Select Approve
  • If you'd like your app to be default method choose "Change" next to Defaul Sign-in Method to Microsoft Authenticator - Notification
  • Enter the passcode you received and click submit

Security Keys

A security key is a device that works with Microsoft as another form of identity verification. 

Security keys can be purchased from multiple sources. Please review FIDO2 Security key providers at (https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-authentication-passwordless#fido2-security-keys) to view compatible devices. 

Setup:

If you need additional assistance, please contact your IT Tech Support team.

  1. Go to https://mysignins.microsoft.com or Manage MFA Settings tile
  2. Select + Add Method
  3. Choose Security Key
  4. Follow the instruction prompts for setup
  5. If you'd like your app to be the default method choose "Change" next to Default Sign-in Method to Security Key
 

Adding Shared Account to Outlook

Desktop:

Windows Outlook:

  1. Click “File”
  2. Select “Account Settings”
  3. Proceed to Account Settings
  4. Double click on user’s email
    • or highlight and select Change
  5. Click “More Settings”
  6. Select “Advanced Tab”
  7. Choose “Add”
  8. Enter shared email address
    • You may be able to add with display name
  9. Restart Outlook

**Apple Mail and Gmail do NOT support shared mailboxes. It requires IMAP which is disabled by default and will not be enabled. So if the user would like to have all mailboxes in one place they will need to use Outlook.**

getting to account settings

 

 

adding email account settings

 

Mac Outlook:

  1. Click File”
  2. Select “Open”
  3. Choose “Other User’s Folder...”
  4. Type in Email Address / search for it
  5. Select “Open”
    • It will check permissions and then add it to the Outlook client. It may need to be restarted first.

 

mac file open

  

umsystem adding mac

mac folders

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Webmail (switching to a shared mailbox): Users who use webmail can access shared accounts however, it can only have one mailbox open at a time. It will open the shared mailbox in a new tab.

  1. Click the profile icon in the top right-hand corner
  2. Select “open another mailbox”
  3. Search for mailbox
  4. Choose “Open”
    1. This will bring up the shared mailbox as long as the user has permissions.

**Apple Mail and Gmail do NOT support shared mailboxes. It requires IMAP which is disabled by default and will not be enabled. So if the user would like to have all mailboxes in one place they will need to use Outlook.**

 

open another mailbox webmail

 

 

type in mailbox webmail

 

 

 

 

**The Outlook view on the shared calendar my be in thread view. It shows all the emails under a mass sent email. If a user would like to see it normally, they can turn it off by going to Settings (Gear Icon in top right-hand corner) > Conversation view – Off

 

settings webmail

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Mobile Devices: Outlook is the only app that will support shared accounts

iOS and Android Outlook:

  1. Open Outlook
  2. Select “Inbox”
    •  The little house or it may just have a letter in the circle
  3. Add mailbox
    • Envelope with plus sign on it
  4. Select “Add Shared Mailbox”
  5. Select the User’s University Email
    • Or the email that has the permissions to view the shared account
  6. Enter Shared Email Address
    • It will now show up on the left-hand side on the inbox menu if they want to look at it individually./li>

**Apple Mail and Gmail do NOT support shared mailboxes. It requires IMAP which is disabled by default and will not be enabled. So if the user would like to have all mailboxes in one place they will need to use Outlook.**

inbox mobile

 

mailbox list mobile

 

add shared mailbox mobile

 

 

add the mailbox mobile

 

sharemailbox@umsystem.edu

 

Each mailbox has its own circle. They can view the emails in each account by selecting which email they would like.

 

mobile list bubbles

 

collapsed mobile

 

 **If you add a shared account and you view it, it may look weird. There are times when it shows just ‘one’ email and you have to click on it to show the whole inbox. The number on the right side shows how many emails are in there. This is due to a view setting within Outlook. It is nested in the thread and will need to be changed if the user does not like this format **

 

***You can fix this threaded view by going to Settings and uncheck Organize By Thread

settings mobile mobile thread

 

 

Reviewed 2022-04-18