IT Services - Support IT's Guide to Multi Factor Authentication: Role Accounts

Overview

As part of UC San Diego's plan to meet the UC systemwide cybersecurity investment initiative, multi-factor authentication (MFA) will be required to role accounts starting February25,2025. This includes both accounts identified as role accounts in MailUPD (Affiliation: A) and ad hoc accounts created in Active Directory.

This requirement is being put in place to comply with the Secure Connect Program objective of ensuring that 100% of mail-enabled accounts are protected by MFA. This will impact SSO authentication using Active Directory and ADFS authentication. It will be enforced on all accounts and affiliations. For ADFS authentications, DUO has been mandated since the last ADFS farm upgrade completed over a year ago.

Critical Concepts

There are 3 different ways a role account may be used:

Accounts Used for Shared Mailboxes: Sharing credentials is disallowed by policy (UC San Diego IT Resources Acceptable Use Policy - Policy Statement 2.d) and will no longer be feasible once MFA is enforced. These accounts must transition to delegated access in the Exchange or Gmail environment. For assistance setting this up, please contact the Messaging Team at support@ucsd.edu.
Accounts Used for System/Service access to mailboxes: Depending on the system/service being used, It is possible for these types of accounts to be deprecated in favor of creating an application registration in both Entra ID (Exchange Online) and Google that can be used for programmatic access to mailboxes using a secret or a certificate. Please contact the AD Team for access to Exchange Online mailboxes or the Messaging and Collaboration team for Google mailboxes at support@ucsd.edu to set up an application registration.
Accounts Used by a Single Individual: If a role account is used by a single individual, the account must be enrolled in DUO at duo.ucsd.edu.

For Service Accounts that is not mail-enabled or cannot use MFA

Option 1: Request OAUTH tokens/credentials

Submit a ticket and let us know you need to request an OAUTH token.

Option 2: Request a DUO Bypass

Before requesting a DUO bypass, check if your account is mail-enabled. If your account is not mail-enabled, you should be switching your authentication method to OAUTH.
You can submit a ticket to request a temporary DUO bypass. In your ticket include your name and the reason for needing the bypass. This will be reviewed yearly and will need to be renewed. Upon approval, the person making the request will be listed as a sponsor in MailDB to track account ownership.

A bypass should only be requested for the following:

OAUTH is not supported/cannot be switched
You need extra time after the February 25th deadline to switch over

If you still have questions or need additional assistance, please contact the ITS Service Desk. You can call us at (858) 246-4357, email us at support@ucsd.edu, or submit a ticket at support.ucsd.edu.