How to share accounts with Microsoft Entra ID (formerly Azure Active Directory)

In Microsoft Entra ID, organizations may occasionally need to utilize a single set of credentials for multiple users. For example, this scenario can arise when creating multi-user environments or when users are accessing applications, such as corporate social media accounts, that require unique sign-in. Typically, these accounts are shared by distributing credentials to authorized individuals or storing them in a shared location accessible to trusted agents.

This approach has several disadvantages, like:

• Enabling access to new applications requires distributing credentials to all individuals requiring access.
• Each shared application typically demands its unique set of shared credentials, resulting in users needing to remember multiple sets of credentials, increasing the risk of resorting to unsafe practices like writing down passwords.
• Tracking who has access to or has accessed an application becomes challenging.
• When revoking access, you have to update and redistribute credentials to relevant users for that application.

However, to address these drawbacks, Microsoft Entra ID has introduced a new way to use shared accounts. The Microsoft Entra administrator can set up user access to applications through the Access Panel. They can then select the most suitable single sign-on method. With password-based single sign-on, Microsoft Entra ID acts as a "broker" during the application's sign-on process.

Users can sign-in once using their organizational account that they use to access their desktop or email. They can view and access only the applications that they are assigned to. Using shared accounts allows for a variety of shared credentials to be included in this list of applications. This relieves the end-user from the burden of remembering numerous accounts that they may be using.

Shared accounts not only increase oversight and improve usability. They also improve your security as users granted permission to use the credentials do not directly view the shared password. Instead, they receive authorization to utilize the password within a coordinated authentication process. Additionally, certain password SSO applications offer the choice to utilize Microsoft Entra ID for periodic password updates, enhancing account security with large, complex passwords. Administrators can efficiently manage access to applications, track users with account access, and monitor past access activities.

Microsoft Entra ID facilitates shared accounts for all password single sign-on applications, available with any Enterprise Mobility Suite (EMS) or Microsoft Entra ID P1/P2 license plan. This includes enabling shared accounts for a multitude of pre-integrated applications in the application gallery. It also offers the flexibility to integrate custom password-authenticating applications through personalized SSO apps.

Microsoft Entra features that enable account sharing are:

• Password single sign-on
• Password single sign-on agent
• Group assignment
• Custom Password apps
• App usage dashboard/reports
• End-user access portals
• App proxy
• Azure Marketplace

To use Microsoft Entra ID to share an account:

• Add an application app gallery or custom application.
• Configure the application for password SSO.
• Use group-based assignments and select the option to enter a shared credential.

About M365 Manager Plus

ManageEngine M365 Manager Plus is a Microsoft 365 reporting, auditing, management and monitoring tool. With M365 Manager Plus, you can:

• Enhance your comprehension of Microsoft services using user-friendly reports, easily scheduled, exported, and emailed from a unified console.
• Track all user and admin activities within your Microsoft 365 environment through detailed audit reports.
• Efficiently manage tasks such as bulk user creation, deletion, and password resets, and automate them for time and labor savings.
• Empower technicians with delegated tasks without requiring elevated native privileges.
• Ensure constant monitoring of your organization's health and performance around the clock.
• Reduce the administrator workload by delegating custom roles to help desk technicians.