Table of Contents
Removing Friction from Sharing by Extending OTP-based Authentication to Entra ID B2B Collaboration
External sharing of SharePoint Online and OneDrive for Business elements like documents, list items, and folders uses a technology called ad-hoc external sharing. When users share items with external recipients, SharePoint Online and OneDrive for Business use a one-time passcode to allow that person to verify their identity. A one-time passcode (OTP) is a way to authenticate the identity of people outside your Microsoft 365 tenant when Entra ID cannot verify their accounts using another method.
The ad-hoc sharing mechanism works but requires several steps before the user can open the shared item.
- User receives the email telling them that someone has shared an item with them.
- User attempts to access the item. SharePoint Online detects that it must verify their identity, so sends an 8-digit OTP to their email address.
- The user receives the email (or finds it in their Junk Email folder) and enters the code (or cuts and pastes the code) into the form (Figure 1). Passcodes are valid for 30 minutes. The Keep me signed in checkbox controls the saving of the authentication cookie to disk to allow the user to reuse it for authentication until the cookie expires.
- SharePoint Online verifies the code and if correct, allows access.
Integrating SharePoint External Sharing with Entra ID B2B Collaboration
To improve external sharing, in October 2021, Microsoft plans to turn on Email one-time passcode authentication for Entra ID by default for all tenants. Like the current ad-hoc sharing, the new mechanism features one-time passcodes. The big difference is that successful authentication results in the automatic creation of guest accounts for external users.
Microsoft is making the change because it will enable new functionality for external recipients. Among the advantages cited are:
- Because they will have guest accounts, external recipients who redeem one-time passcodes won’t need to create a Microsoft (MSA) account.
- Administrators can manage details of guest accounts, such as assigning them user-friendly display names or photos.
- Other Microsoft 365 features, such as team membership or sharing of other SharePoint Online and OneDrive for Business resources, can take advantage of the guest accounts.
- Guest accounts are subject to conditional access policies.
- Tenants that configure Google Cloud federation with Entra ID can share resources with federated accounts.
- The Entra ID B2B Collaboration policy controls external sharing. In other words, you can whitelist or blacklist domains that you want to limit sharing with or stop sharing with (a tenant can choose to deploy either a whitelist or blacklist, but not both).
Configuring Email OTP Authentication for Entra ID
While they can wait until Microsoft enables Email OTP authentication for Entra ID in October (or opt to disable the capability), tenants can choose to use email OTP authentication for Entra ID today. To enable the feature, go to the identity providers section and configure the email one-time passcode provider as shown in Figure 2.
As you can see, this is where you can disable the feature, if that’s what you want to do.
Some configuration is necessary for SharePoint Online to integrate with Entra ID B2B and use email OTP authentication (or as Microsoft says in its documentation, Entra ID Invitation Manager). Do this with the SharePoint Online management module by connecting and running the Set-SPOTenant cmdlet to update the necessary settings:
Set-SPOTenant -EnableAzureADB2BIntegration $True Set-SPOTenant -SyncAadB2BManagementPolicy $True
Bizarrely, while you can use the Get-SPOTenant cmdlet to retrieve the value of the EnableAzureADB2BIntegration setting, it doesn’t report a value for SyncAadB2BManagementPolicy.
Using Email OTP Authentication for Entra ID
With Email OTP authentication for Entra ID enabled and connected to SharePoint Online, the following happens for external sharing.
The user creates a sharing link as usual (existing sharing links continue to work and there’s no need to recreate links).
- Entra ID checks the directory and creates a guest account if an account doesn’t already exist for the external recipient.
- The external recipient receives the email notification of sharing and clicks the sharing link.
- Entra ID invokes a validation process. Users with Entra ID or MSA accounts enter their email address and, if this is valid for the sharing link, the Entra ID Invitations service invokes the consent process to allow it to sign in the new guest account (Figure 3). Users without Entra ID or MSA accounts sign in using the one-time passcode authentication procedure to validate their identity.
- If the external recipient grants consent, Entra ID signs them in and allows access to the shared resource.
The external recipient now has a guest account in the tenant. They can use this account to access other resources shared with them. And if the authentication token granted through a sign-in is still valid, they won’t have to sign in again to open other shared resources. When the guest account accesses tenant resources, Entra ID captures audit records in its sign-in log (Figure 4).
The tenant can manage the guest account like any other account, including imposing conditional access policies to restrict access where necessary, like confidential sites marked with an authentication context with a sensitivity label.
Guest Accounts Need Management
Using guest accounts to manage external access to SharePoint Online and OneDrive for Business resources is a sensible move. It’s a lower friction mechanism for external people that’s easier for tenants to operate. That being said, guest accounts do need to be managed as it is all too easy to allow obsolete or unused accounts accumulate in Entra ID. Microsoft doesn’t provide any tools to clean up old guest accounts, but you can do the job with PowerShell.
Learn more about how Office 365 really works on an ongoing basis by subscribing to the Office 365 for IT Pros eBook. Our monthly updates keep subscribers informed about what’s important across the Office 365 ecosystem.