Azure Active Directory (Azure AD) B2B guest users offer a convenient way to grant access to external users without adding them to your core directory. However, ensuring secure authentication for these guests is crucial. One-time passcode (OTP) authentication provides a simple and secure method for B2B guest user access.
OTP Authentication for B2B Guests
When a guest user who cannot be identified through other means (like a Microsoft account or identity provider) attempts to sign in, they can use OTP. Here’s how it works:
- Invitation and access request: The host organization invites the external user to access a resource (e.g., SharePoint site, Teams collaboration).
- OTP delivery: If the guest user doesn’t have an existing authentication method, the Azure AD system sends a one-time passcode to their registered email address.
- Passcode verification: The guest user retrieves the passcode from their email and enters it on the Azure AD sign-in page.
- Resource access: Upon successful verification, the guest user gains access to the designated resource.
Benefits of OTP authentication
- Enhanced security: OTP adds an extra layer of security by requiring a temporary code in addition to the email address. This reduces the risk of unauthorized access attempts, even if a guest user’s email credentials are compromised.
- Simplified access: OTP eliminates the need for guest users to create new accounts or manage additional credentials for your organization.
- Reduced administrative overhead: OTP authentication minimizes the need to manage individual guest user accounts.
Enabling OTP for B2B Guests
OTP authentication is enabled by default for all new Azure AD users and existing users (unless it has been explicitly disabled). You can still manage this feature through the Microsoft Entra admin center:
- Sign in with a security administrator account.
- Navigate to Identity > External Identities > All identity providers.
- Select Email one-time passcode.
- Choose Yes under Email one-time passcode for guests to ensure the feature remains active.
Note: Even with OTP enabled, guest users with existing authentication methods (Microsoft account, social identity provider) will not be prompted for a passcode. OTP serves as a backup for scenarios where other methods are unavailable.
Configuring OTP behavior (Optional)
Although OTP is enabled by default, you have some control over its behavior:
- Automatic vs. Manual enablement: You can choose to automatically enable OTP for all guest users from the moment they accept their invitation, or you can set a specific date for activation.
- Customizable email templates: You can customize the pre-built email templates to include your organization’s branding and any additional information for the guest user.
To configure these settings, follow the steps mentioned above to access the email one-time passcode settings.