Email One-Time Passcodes for Azure Active Directory

Easing Azure B2B Collaboration with Passcodes

Announced yesterday in preview, email one-time passcodes (OTP) expand the range of authentication mechanisms available for Azure Active Directory guest accounts. Today, when you invite someone from outside your tenant to access a resource or application, Azure Active Directory issues that person with an invitation. When they redeem the invitation, they must create a Microsoft account to authenticate, unless they already have an Azure Active Directory account (for instance, in another Office 365 tenant), a Microsoft account (for instance, in Outlook.com), or they have a Google account and the tenant supports Google as an identity provider.

Creating a Microsoft account isn’t a big deal, but the person redeeming the invitation might consider it unnecessary as they already have an account. Given the profusion of accounts needed to access internet sites, creating another that is only ever used to access resources in your tenant could be seen as a burden. OTP removes the issue by allowing the invitee to redeem the invitation and access the resource in your tenant without having to create a Microsoft account. The experience is more seamless because the invitee continues to use their normal account.

Blocking Unwanted Sharing

Microsoft says that OTPs open up collaboration to anyone who has an email address. You might not want users to share with just anyone, so remember that you can configure blocked domains in the Azure B2B Collaboration policy. And of course, you can use conditional access policies to control how guest users access content.

Setting Up OTP

Setting up a tenant to support OTP involves updating the Azure B2B Management policy with PowerShell. Connect to Azure AD and paste the commands listed in the documentation into the command window to update the policy. Give Azure AD a couple of minutes to refresh and make the updated policy effective. Afterwards, any invitation generated to an email address that can’t be matched against an Azure AD instance, an MSA domain (like live.com), or Google (if configured) will use an OTP.

When the recipient redeems the invitation and connects to your tenant to access a resource, they see that a code is used. The code is generated and sent to the email address and then input to a challenge screen to authenticate the user.

A one-time password code generated by Azure Active Directory
OTP code will be sent
A one-time password code generated by Azure Active Directory as seen by the recipient.

Authentication for a Day

Authentication granted through an email OTP lasts 24 hours. The idea here is that users must be able to prove their identity to continue to access your resources, and they do this by processing the OTP sent to their mailbox when authentication is necessary.

During the 24-hour authentication period, the user’s access is like as if they had authenticated by signing in. They are not prompted to reauthenticate if they move between applications and resources in a browser session.

Guest Accounts Still Needed

An external user who authenticates with OTPs still needs a guest account in your tenant. The difference is that instead of being marked as having its source as “External Azure Active Directory” or “Microsoft Account,” the source is OTP. You can see this information in the Azure Active Directory portal.

Guest account that uses OTP

Unfortunately, I can’t find anything in the properties returned by Get-AzureADUser to be able to highlight OTP guests through PowerShell.

Using OTP with Office 365 Applications

External access to Office 365 applications like Groups, Teams, and Planner have driven the use of Azure Active Directory guest accounts in many tenants. You can’t use OTP authentication for these applications today. and will see sign-in errors about “no tenant-identifying information” if you try.

Can’t use OTP to sign into Teams

Microsoft explains this in their documentation by noting that “one-time passcode users must sign in using a link that includes the tenant context, for example https://myapps.microsoft.com/?tenantid=<tenant id>“. Like any new feature (especially those in preview), it takes time for production applications to catch up and support. Teams will have to update its code to deal with desktop and mobile applications as well as browsers, while Planner needs to update its sign-in process and links to support OTP guests.

Sharing with SharePoint

In testing OTP, I was able to use an account authenticated with OTP to access documents shared with the account from SharePoint Online or OneDrive for Business, which seem to include some tenant context in their URLs. Likewise, I was able to access the document library belonging to an Office 365 group when the account using OTP was added as a member of the group. However, the success was transient. The links depend on the client already being authenticated in the tenant and if this is the case, they can open documents shared with them. The problem is that the passcode expires after a day. If the user then tries to reuse a sharing link, they won’t be able to access the document because they are no longer authenticated and there doesn’t seem to be a way to force Office 365 to regenerate a passcode to regain access. Microsoft’s Maria Lai says in a comment to the announcement that OTP “will replace the one-time passcode sent in SharePoint soon.” I don’t know when the replacement will happen, but the delay is likely to allow SharePoint Online to include some code to send passcodes to people when their tokens expire.

As guests communicate with other members in an Office 365 group via email, the fact that they can access the group’s document library might make it seem that Outlook groups seem to support OTP. However, as not above, access to the document library only lasts for the lifetime of an authentication token. So Outlook groups will need the work done by SharePoint before they can support OTP access for guest users.

One-time Passcodes and Office 365

I’m not sure how important OTP will be for Office 365. Obviously, Office 365 has a set of applications which support external access that need to be updated for OTP, but when access is considered for someone outside the company, those controlling the resources might prefer to use another authentication method. We’ll see in time. Meantime, if you do use OTP and need to switch a guest to another authentication method, remember that this is only possible by removing the guest account and reissuing an invitation.


We cover how to manage guest user accounts in Chapter 12 of the Office 365 for IT Pros eBook. We’ll update that section when the Office 365 apps support OTP authentication.

Advertisements

6 Replies to “Email One-Time Passcodes for Azure Active Directory”

  1. Thanks for your coverage above Tony. PowerShell is definitely an option for opting into the preview, but there is a UI button you can click too 😉

    What did you think about this line in the documentation you linked to – “When a user redeems a one-time passcode and later obtains an MSA, Azure AD account, or other federated account, they’ll continue to be authenticated using a one-time passcode. If you want to update their authentication method, you can delete their guest user account and reinvite them.” I would prefer a more self-healing / self-updating approach as identity accounts change for the guest user over time.

    1. I’d prefer a self-healing mode too… and as I noted earlier, this is the kind of thing that will probably happen as Microsoft moves towards general availability.

  2. The other thing I found “interesting” is this line in the email with the account verification code: “If you didn’t request a code, you can ignore this email.” Well, actually, if you didn’t request a code, someone else has gained access to an invitation that was destined for you, and has used that invitation to attempt to log into a specific resource using your identity. If you didn’t request it, and that flow has happened, you should be VERY concerned about account credential compromise, etc.

    1. This is a preview and you point to the kind of details that Microsoft need to smoothen and improve as they drive towards general availability.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.