Table of Contents
Entra B2B Collaboration (Guest Accounts) Becomes the Basis for Access to Shared Files and Folders
Microsoft 365 message center notification MC1243549 (4 Mar 2026) brings news of the final deprecation of One-Time Passcodes (OTP) within SharePoint Online and OneDrive for Business from July 2026.
The journey to remove OTP from SharePoint Online and OneDrive for Business started in 2021 on an opt-in basis. Microsoft took the next step by automatically enabling the integration for new tenants in 2023. In July 2025, SharePoint Online deprecated OTP for tenants that had previously opted to integrate with Entra B2B Collaboration. All that’s left are tenants created before mid-2023 that chose to keep on using OTP.
Retirement Timeline
Starting in May 2026, any external invitations to share files or folders will use Entra B2B Collaboration (guest accounts) instead of OTP. Links that use OTP created before the switchover will continue to work as before until the retirement happens in July 2026. At that point, the links fail because of a lack of authentication. To continue sharing, people will have to create new sharing links. Use of the new links will prompt the Entra Invitation Manager to automatically create guest accounts for the link recipients.
Microsoft expects the retirement to be effective across Microsoft 365 (commercial, government, and sovereign clouds) by August 31, 2026.
Leveraging Guest Accounts
The change makes a lot of sense. OTP is a one-time operation that works, but it doesn’t support tracking external access to information in the tenant in the same way that a guest account does. A governance framework is available to manage and control guest accounts in a way that just isn’t possible for OTP actions, including auditing, control over guest account connections by Entra conditional access policies, and a B2B Collaboration policy to govern which domains guest accounts can come from.
It can be argued that removing OTP simplifies external access to files and folders because a single method will now be used, but that’s not the real story here. In a nutshell, Microsoft is dumping SharePoint OTP to take advantage of the work done over the last few years to develop and enhance guest account management. The change will also rationalize engineering and support costs because a single sharing authentication method will be used instead of the two in use today.
A Proliferation of Guest Accounts to Manage
I’ve used Entra B2B Collaboration with SharePoint Online and OneDrive for Business since 2021 and have no problems with operation or features. Everything just works. Tenants that already support external guest accounts for Teams and Outlook groups probably already use B2B Collaboration to share SharePoint content and will see no difference.
The challenge will be for tenants that move from OTP and don’t currently manage guest accounts (or perhaps don’t manage guest accounts as well as they should). These tenants can expect to see more guest accounts show up in their Entra directory. The number depends on how much external sharing happens within the tenant.
Among the issues that should be addressed include:
- Create a framework to manage guest accounts. The Entra B2B Collaboration policy is an important part of the framework, which might also include assigning sponsors to guest accounts to track the responsibility for granting access to the tenant.
- Determine how long a guest account can remain in the tenant. Entra ID access reviews are a good way to ensure that guest accounts are checked and removed if they fail a review. Access Reviews need Entra P1 licenses. Microsoft created a Copilot agent designed to make access reviews easier for tenants to manage. However, the high consumption of AI resources and the resulting costs made the agent a very expensive proposition. This might be why Microsoft decided not to bring the agent forward to general availability and withdraw the preview on March 27, 2026.
- A cheaper approach is to create an inactive guest account report with PowerShell to identify accounts that are no longer in use and can be removed.
- Enable an Expiring Access Policy to remove guest access from sites after a set period .(Figure 1)
- Set up an Azure subscription to pay for guest account access to premium features. Entra ID includes 50,000 free monthly active users (MAU) for guest accounts.
Guest accounts aren’t bad. Like many other parts of Microsoft 365, they just need to be managed on an ongoing basis.
Learn about managing Entra ID guest accounts and the rest of the Microsoft 365 ecosystem by subscribing to the Office 365 for IT Pros eBook. Use our experience to understand what’s important and how best to protect your tenant.
I get that sharing links externally will soon automatically generate a Entra Guest account in the tenant, but what I’m not clear on, based on everything I’ve read, is whether/how the sharing recipient will authenticate themselves to this Guest account, if not via an OTP.
Our org shares externally with a lot of folks who are, let’s just say not particularly tech savvy… and OTP is a (relatively) simple way of authenticating recipients so that links can’t be passed around. Anything more onerous than that, such as requiring them to create a password, or heaven forbid set up MFA for their new guest account would be a real hassle.
When the recipient receives an invitation to share, the guest account already exists. However, the invitation must be redeemed before the guest account can be used https://learn.microsoft.com/en-us/entra/external-id/b2b-quickstart-add-guest-users-portal.
Authentication depends on the host tenant. For example, the host tenant might require MFA https://learn.microsoft.com/en-us/entra/identity/conditional-access/policy-old-require-mfa-guest. It’s up to you to decide whether to do this. If MFA is not used, then a simple sign-in using the guest account works.