Removing Friction from Sharing
External sharing of SharePoint Online and OneDrive for Business elements like documents, list items, and folders uses a technology called ad-hoc external sharing. When users share items with external recipients, SharePoint Online and OneDrive for Business use a one-time passcode to allow that person to verify their identity. A one-time passcode (OTP) is a way to authenticate the identity of people outside your Microsoft 365 tenant when Azure AD cannot verify their accounts using another method.
The ad-hoc sharing mechanism works but requires several steps before the user can open the shared item.
- User receives the email telling them that someone has shared an item with them.
- User attempts to access the item. SharePoint Online detects that it must verify their identity, so sends an 8-digit OTP to their email address.
- The user receives the email (or finds it in their Junk Email folder) and enters the code (or cuts and pastes the code) into the form (Figure 1). Passcodes are valid for 30 minutes. The Keep me signed in checkbox controls the saving of the authentication cookie to disk to allow the user to reuse it for authentication until the cookie expires.
- SharePoint Online verifies the code and if correct, allows access.
Integrating SharePoint External Sharing with Azure AD B2B
To improve external sharing, in October 2021, Microsoft plans to turn on Email one-time passcode authentication for Azure AD by default for all tenants. Like the current ad-hoc sharing, the new mechanism features one-time passcodes. The big difference is that successful authentication results in the automatic creation of Azure AD guest accounts for external users.
Microsoft is making the change because it will enable new functionality for external recipients. Among the advantages cited are:
- Because they will have Azure AD guest accounts, external recipients who redeem one-time passcodes won’t need to create a Microsoft (MSA) account.
- Administrators can manage details of guest accounts, such as assigning them user-friendly display names or photos.
- Other Microsoft 365 features, such as team membership or sharing of other SharePoint Online and OneDrive for Business resources, can take advantage of the guest accounts.
- Guest accounts are subject to conditional access policies.
- Tenants that configure Google Cloud federation with Azure AD can share resources with federated accounts.
- The Azure AD B2B Collaboration policy controls external sharing. In other words, you can whitelist or blacklist domains that you want to limit sharing with or stop sharing with (a tenant can choose to deploy either a whitelist or blacklist, but not both).
Configuring Email OTP Authentication for Azure AD
While they can wait until Microsoft enables Email OTP authentication for Azure AD in October (or opt to disable the capability), tenants can choose to use email OTP authentication for Azure AD today. To enable the feature, go to the identity providers section and configure the email one-time passcode provider as shown in Figure 2.
As you can see, this is where you can disable the feature, if that’s what you want to do.
Some configuration is necessary for SharePoint Online to integrate with Azure AD B2B and use email OTP authentication (or as Microsoft says in its documentation, Azure B2B Invitation Manager). Do this with the SharePoint Online management module by connecting and running the Set-SPOTenant cmdlet to update the necessary settings:
Set-SPOTenant -EnableAzureADB2BIntegration $True Set-SPOTenant -SyncAadB2BManagementPolicy $True
Bizarrely, while you can use the Get-SPOTenant cmdlet to retrieve the value of the EnableAzureADB2BIntegration setting, it doesn’t report a value for SyncAadB2BManagementPolicy.
Using Email OTP Authentication for Azure AD
With Email OTP authentication for Azure AD enabled and connected to SharePoint Online, the following happens for external sharing.
The user creates a sharing link as usual (existing sharing links continue to work and there’s no need to recreate links).
- Azure AD checks the directory and creates a guest account if an account doesn’t already exist for the external recipient.
- The external recipient receives the email notification of sharing and clicks the sharing link.
- Azure AD enters a validation process. Users with Azure AD or MSA accounts enter their email address and, if this is valid for the sharing link, the Azure AD Invitations service invokes the consent process to allow it to sign in the new guest account (Figure 3). Users without Azure AD or MSA accounts sign in using the one-time passcode authentication procedure to validate their identity.
- If the external recipient grants consent, Azure AD signs them in and allows access to the shared resource.
The external recipient now has a guest account in the tenant. They can use this account to access other resources shared with them. And if the authentication token granted through a sign-in is still valid, they won’t have to sign in again to open other shared resources. When the guest account accesses tenant resources, Azure AD captures audit records (Figure 4).
The tenant can manage the guest account like any other account, including imposing conditional access policies to restrict access where necessary, like confidential sites marked with an authentication context with a sensitivity label.
Guest Accounts Need Management
Using guest accounts to manage external access to SharePoint Online and OneDrive for Business resources is a sensible move. It’s a lower friction mechanism for external people that’s easier for tenants to operate. That being said, guest accounts do need to be managed as it is all too easy to allow obsolete or unused accounts accumulate in Azure AD. Microsoft doesn’t provide any tools to clean up old guest accounts, but you can do the job with PowerShell.
Learn more about how Office 365 really works on an ongoing basis by subscribing to the Office 365 for IT Pros eBook. Our monthly updates keep subscribers informed about what’s important across the Office 365 ecosystem.