External sharing of SharePoint Online and OneDrive for Business elements like documents, list items, and folders uses a technology called ad-hoc external sharing. When users share items with external recipients, SharePoint Online and OneDrive for Business use a one-time passcode to allow that person to verify their identity. A one-time passcode (OTP) is a way to authenticate the identity of people outside your Microsoft 365 tenant when Azure AD cannot verify their accounts using another method.
The ad-hoc sharing mechanism works but requires several steps before the user can open the shared item.
User receives the email telling them that someone has shared an item with them.
User attempts to access the item. SharePoint Online detects that it must verify their identity, so sends an 8-digit OTP to their email address.
The user receives the email (or finds it in their Junk Email folder) and enters the code (or cuts and pastes the code) into the form (Figure 1). Passcodes are valid for 30 minutes. The Keep me signed in checkbox controls the saving of the authentication cookie to disk to allow the user to reuse it for authentication until the cookie expires.
SharePoint Online verifies the code and if correct, allows access.
Figure 1: Using a one-time passcode to validate access to a shared file
Integrating SharePoint External Sharing with Azure AD B2B
To improve external sharing, in October 2021, Microsoft plans to turn on Email one-time passcode authentication for Azure AD by default for all tenants. Like the current ad-hoc sharing, the new mechanism features one-time passcodes. The big difference is that successful authentication results in the automatic creation of Azure AD guest accounts for external users.
Microsoft is making the change because it will enable new functionality for external recipients. Among the advantages cited are:
Because they will have Azure AD guest accounts, external recipients who redeem one-time passcodes won’t need to create a Microsoft (MSA) account.
Administrators can manage details of guest accounts, such as assigning them user-friendly display names or photos.
Other Microsoft 365 features, such as team membership or sharing of other SharePoint Online and OneDrive for Business resources, can take advantage of the guest accounts.
Guest accounts are subject to conditional access policies.
The Azure AD B2B Collaboration policy controls external sharing. In other words, you can whitelist or blacklist domains that you want to limit sharing with or stop sharing with (a tenant can choose to deploy either a whitelist or blacklist, but not both).
Configuring Email OTP Authentication for Azure AD
While they can wait until Microsoft enables Email OTP authentication for Azure AD in October (or opt to disable the capability), tenants can choose to use email OTP authentication for Azure AD today. To enable the feature, go to the identity providers section and configure the email one-time passcode provider as shown in Figure 2.
Figure 2: Configuring the Azure AD Email one-time passcode identity provider
As you can see, this is where you can disable the feature, if that’s what you want to do.
Some configuration is necessary for SharePoint Online to integrate with Azure AD B2B and use email OTP authentication (or as Microsoft says in its documentation, Azure B2B Invitation Manager). Do this with the SharePoint Online management module by connecting and running the Set-SPOTenant cmdlet to update the necessary settings:
Bizarrely, while you can use the Get-SPOTenant cmdlet to retrieve the value of the EnableAzureADB2BIntegration setting, it doesn’t report a value for SyncAadB2BManagementPolicy.
Using Email OTP Authentication for Azure AD
With Email OTP authentication for Azure AD enabled and connected to SharePoint Online, the following happens for external sharing.
The user creates a sharing link as usual (existing sharing links continue to work and there’s no need to recreate links).
Azure AD checks the directory and creates a guest account if an account doesn’t already exist for the external recipient.
The external recipient receives the email notification of sharing and clicks the sharing link.
Azure AD enters a validation process. Users with Azure AD or MSA accounts enter their email address and, if this is valid for the sharing link, the Azure AD Invitations service invokes the consent process to allow it to sign in the new guest account (Figure 3). Users without Azure AD or MSA accounts sign in using the one-time passcode authentication procedure to validate their identity.
If the external recipient grants consent, Azure AD signs them in and allows access to the shared resource.
Figure 3: Completing the validation process for the new guest account
The external recipient now has a guest account in the tenant. They can use this account to access other resources shared with them. And if the authentication token granted through a sign-in is still valid, they won’t have to sign in again to open other shared resources. When the guest account accesses tenant resources, Azure AD captures audit records (Figure 4).
Figure 4: An Azure AD audit record for a guest account sign-in to access a shared file
The tenant can manage the guest account like any other account, including imposing conditional access policies to restrict access where necessary, like confidential sites marked with an authentication context with a sensitivity label.
Guest Accounts Need Management
Using guest accounts to manage external access to SharePoint Online and OneDrive for Business resources is a sensible move. It’s a lower friction mechanism for external people that’s easier for tenants to operate. That being said, guest accounts do need to be managed as it is all too easy to allow obsolete or unused accounts accumulate in Azure AD. Microsoft doesn’t provide any tools to clean up old guest accounts, but you can do the job with PowerShell.
Learn more about how Office 365 really works on an ongoing basis by subscribing to the Office 365 for IT Pros eBook. Our monthly updates keep subscribers informed about what’s important across the Office 365 ecosystem.
So they will enable the portal.azure.com setting during October, but will they also make sure to run the Set-SPO settings during October or is this something you need to do manually?
I got the confirmation they will NOT do the SharePoint part… I wonder if they take it in steps and I assume these two settings means the end for the old “ad-hoc” sharing mechanism in SharePoint?
Loading...
Who are they? And what do you mean by not do the SharePoint part?
Loading...
I did asked for feedback on the article (https://docs.microsoft.com/en-us/azure/active-directory/external-identities/one-time-passcode) in GitHub and they clarified it in the FAQ section at the bottom:
—
Does this change include SharePoint and OneDrive integration with Azure AD B2B?
No, the global rollout of the change to enable email one-time passcode by default that begins on November 1, 2021 doesn’t include SharePoint and OneDrive integration with Azure AD B2B. To learn how to enable integration so that collaboration on SharePoint and OneDrive uses B2B capabilities, or how to disable this integration, see SharePoint and OneDrive Integration with Azure AD B2B.
—
I wonder if they (Microsoft) are also planning to perform the Set-SPOTenant -EnableAzureADB2BIntegration $True and
Set-SPOTenant -SyncAadB2BManagementPolicy $True on all tenants as well because their longterm plan is to remove the ad-hoc sharing mechanism and use this way of sharing instead.
I agree that they’re trying to get rid of the ad-hoc sharing mechanism because they consider guest accounts to be more secure. I guess we’ll see as time goes by…
{"id":null,"mode":"button","open_style":"in_modal","currency_code":"EUR","currency_symbol":"\u20ac","currency_type":"decimal","blank_flag_url":"https:\/\/office365itpros.com\/wp-content\/plugins\/tip-jar-wp\/\/assets\/images\/flags\/blank.gif","flag_sprite_url":"https:\/\/office365itpros.com\/wp-content\/plugins\/tip-jar-wp\/\/assets\/images\/flags\/flags.png","default_amount":100,"top_media_type":"featured_image","featured_image_url":"https:\/\/office365itpros.com\/wp-content\/uploads\/2022\/11\/cover-141x200.jpg","featured_embed":"","header_media":null,"file_download_attachment_data":null,"recurring_options_enabled":true,"recurring_options":{"never":{"selected":true,"after_output":"One time only"},"weekly":{"selected":false,"after_output":"Every week"},"monthly":{"selected":false,"after_output":"Every month"},"yearly":{"selected":false,"after_output":"Every year"}},"strings":{"current_user_email":"","current_user_name":"","link_text":"Virtual Tip Jar","complete_payment_button_error_text":"Check info and try again","payment_verb":"Pay","payment_request_label":"Office 365 for IT Pros","form_has_an_error":"Please check and fix the errors above","general_server_error":"Something isn't working right at the moment. Please try again.","form_title":"Office 365 for IT Pros","form_subtitle":null,"currency_search_text":"Country or Currency here","other_payment_option":"Other payment option","manage_payments_button_text":"Manage your payments","thank_you_message":"Thank you for supporting the work of Office 365 for IT Pros!","payment_confirmation_title":"Office 365 for IT Pros","receipt_title":"Your Receipt","print_receipt":"Print Receipt","email_receipt":"Email Receipt","email_receipt_sending":"Sending receipt...","email_receipt_success":"Email receipt successfully sent","email_receipt_failed":"Email receipt failed to send. Please try again.","receipt_payee":"Paid to","receipt_statement_descriptor":"This will show up on your statement as","receipt_date":"Date","receipt_transaction_id":"Transaction ID","receipt_transaction_amount":"Amount","refund_payer":"Refund from","login":"Log in to manage your payments","manage_payments":"Manage Payments","transactions_title":"Your Transactions","transaction_title":"Transaction Receipt","transaction_period":"Plan Period","arrangements_title":"Your Plans","arrangement_title":"Manage Plan","arrangement_details":"Plan Details","arrangement_id_title":"Plan ID","arrangement_payment_method_title":"Payment Method","arrangement_amount_title":"Plan Amount","arrangement_renewal_title":"Next renewal date","arrangement_action_cancel":"Cancel Plan","arrangement_action_cant_cancel":"Cancelling is currently not available.","arrangement_action_cancel_double":"Are you sure you'd like to cancel?","arrangement_cancelling":"Cancelling Plan...","arrangement_cancelled":"Plan Cancelled","arrangement_failed_to_cancel":"Failed to cancel plan","back_to_plans":"\u2190 Back to Plans","update_payment_method_verb":"Update","sca_auth_description":"Your have a pending renewal payment which requires authorization.","sca_auth_verb":"Authorize renewal payment","sca_authing_verb":"Authorizing payment","sca_authed_verb":"Payment successfully authorized!","sca_auth_failed":"Unable to authorize! Please try again.","login_button_text":"Log in","login_form_has_an_error":"Please check and fix the errors above","uppercase_search":"Search","lowercase_search":"search","uppercase_page":"Page","lowercase_page":"page","uppercase_items":"Items","lowercase_items":"items","uppercase_per":"Per","lowercase_per":"per","uppercase_of":"Of","lowercase_of":"of","back":"Back to plans","zip_code_placeholder":"Zip\/Postal Code","download_file_button_text":"Download File","input_field_instructions":{"tip_amount":{"placeholder_text":"How much would you like to tip?","initial":{"instruction_type":"normal","instruction_message":"How much would you like to tip? Choose any currency."},"empty":{"instruction_type":"error","instruction_message":"How much would you like to tip? Choose any currency."},"invalid_curency":{"instruction_type":"error","instruction_message":"Please choose a valid currency."}},"recurring":{"placeholder_text":"Recurring","initial":{"instruction_type":"normal","instruction_message":"How often would you like to give this?"},"success":{"instruction_type":"success","instruction_message":"How often would you like to give this?"},"empty":{"instruction_type":"error","instruction_message":"How often would you like to give this?"}},"name":{"placeholder_text":"Name on Credit Card","initial":{"instruction_type":"normal","instruction_message":"Enter the name on your card."},"success":{"instruction_type":"success","instruction_message":"Enter the name on your card."},"empty":{"instruction_type":"error","instruction_message":"Please enter the name on your card."}},"privacy_policy":{"terms_title":"Terms and conditions","terms_body":null,"terms_show_text":"View Terms","terms_hide_text":"Hide Terms","initial":{"instruction_type":"normal","instruction_message":"I agree to the terms."},"unchecked":{"instruction_type":"error","instruction_message":"Please agree to the terms."},"checked":{"instruction_type":"success","instruction_message":"I agree to the terms."}},"email":{"placeholder_text":"Your email address","initial":{"instruction_type":"normal","instruction_message":"Enter your email address"},"success":{"instruction_type":"success","instruction_message":"Enter your email address"},"blank":{"instruction_type":"error","instruction_message":"Enter your email address"},"not_an_email_address":{"instruction_type":"error","instruction_message":"Make sure you have entered a valid email address"}},"note_with_tip":{"placeholder_text":"Your note here...","initial":{"instruction_type":"normal","instruction_message":"Attach a note to your tip (optional)"},"empty":{"instruction_type":"normal","instruction_message":"Attach a note to your tip (optional)"},"not_empty_initial":{"instruction_type":"normal","instruction_message":"Attach a note to your tip (optional)"},"saving":{"instruction_type":"normal","instruction_message":"Saving note..."},"success":{"instruction_type":"success","instruction_message":"Note successfully saved!"},"error":{"instruction_type":"error","instruction_message":"Unable to save note note at this time. Please try again."}},"email_for_login_code":{"placeholder_text":"Your email address","initial":{"instruction_type":"normal","instruction_message":"Enter your email to log in."},"success":{"instruction_type":"success","instruction_message":"Enter your email to log in."},"blank":{"instruction_type":"error","instruction_message":"Enter your email to log in."},"empty":{"instruction_type":"error","instruction_message":"Enter your email to log in."}},"login_code":{"initial":{"instruction_type":"normal","instruction_message":"Check your email and enter the login code."},"success":{"instruction_type":"success","instruction_message":"Check your email and enter the login code."},"blank":{"instruction_type":"error","instruction_message":"Check your email and enter the login code."},"empty":{"instruction_type":"error","instruction_message":"Check your email and enter the login code."}},"stripe_all_in_one":{"initial":{"instruction_type":"normal","instruction_message":"Enter your credit card details here."},"empty":{"instruction_type":"error","instruction_message":"Enter your credit card details here."},"success":{"instruction_type":"normal","instruction_message":"Enter your credit card details here."},"invalid_number":{"instruction_type":"error","instruction_message":"The card number is not a valid credit card number."},"invalid_expiry_month":{"instruction_type":"error","instruction_message":"The card's expiration month is invalid."},"invalid_expiry_year":{"instruction_type":"error","instruction_message":"The card's expiration year is invalid."},"invalid_cvc":{"instruction_type":"error","instruction_message":"The card's security code is invalid."},"incorrect_number":{"instruction_type":"error","instruction_message":"The card number is incorrect."},"incomplete_number":{"instruction_type":"error","instruction_message":"The card number is incomplete."},"incomplete_cvc":{"instruction_type":"error","instruction_message":"The card's security code is incomplete."},"incomplete_expiry":{"instruction_type":"error","instruction_message":"The card's expiration date is incomplete."},"incomplete_zip":{"instruction_type":"error","instruction_message":"The card's zip code is incomplete."},"expired_card":{"instruction_type":"error","instruction_message":"The card has expired."},"incorrect_cvc":{"instruction_type":"error","instruction_message":"The card's security code is incorrect."},"incorrect_zip":{"instruction_type":"error","instruction_message":"The card's zip code failed validation."},"invalid_expiry_year_past":{"instruction_type":"error","instruction_message":"The card's expiration year is in the past"},"card_declined":{"instruction_type":"error","instruction_message":"The card was declined."},"missing":{"instruction_type":"error","instruction_message":"There is no card on a customer that is being charged."},"processing_error":{"instruction_type":"error","instruction_message":"An error occurred while processing the card."},"invalid_request_error":{"instruction_type":"error","instruction_message":"Unable to process this payment, please try again or use alternative method."},"invalid_sofort_country":{"instruction_type":"error","instruction_message":"The billing country is not accepted by SOFORT. Please try another country."}}}},"fetched_oembed_html":false}
So they will enable the portal.azure.com setting during October, but will they also make sure to run the Set-SPO settings during October or is this something you need to do manually?
I don’t know, but it wouldn’t hurt to run the PowerShell commands (which is what I did).
I got the confirmation they will NOT do the SharePoint part… I wonder if they take it in steps and I assume these two settings means the end for the old “ad-hoc” sharing mechanism in SharePoint?
Who are they? And what do you mean by not do the SharePoint part?
I did asked for feedback on the article (https://docs.microsoft.com/en-us/azure/active-directory/external-identities/one-time-passcode) in GitHub and they clarified it in the FAQ section at the bottom:
—
Does this change include SharePoint and OneDrive integration with Azure AD B2B?
No, the global rollout of the change to enable email one-time passcode by default that begins on November 1, 2021 doesn’t include SharePoint and OneDrive integration with Azure AD B2B. To learn how to enable integration so that collaboration on SharePoint and OneDrive uses B2B capabilities, or how to disable this integration, see SharePoint and OneDrive Integration with Azure AD B2B.
—
I wonder if they (Microsoft) are also planning to perform the Set-SPOTenant -EnableAzureADB2BIntegration $True and
Set-SPOTenant -SyncAadB2BManagementPolicy $True on all tenants as well because their longterm plan is to remove the ad-hoc sharing mechanism and use this way of sharing instead.
I agree that they’re trying to get rid of the ad-hoc sharing mechanism because they consider guest accounts to be more secure. I guess we’ll see as time goes by…