Last Updated on March 28, 2021 by Dishan M. Francis
Azure AD B2B allows external users to collaborate with the organization’s application, services, and data. To allow guest user access, these external users are required to have Azure AD account, Microsoft Account, or Google federation (for @gmail.com and @googlemail.com users). But now, if the guest user doesn’t have any of the above-mentioned accounts, he/she can connect using One-time passcode. This code will send to the guest user’s email account. The passcode will be valid for 30 minutes. Once the user is authenticated, the session will be valid for 24 hours, and after that guest user is required a new code to log in. Starting October 2021, one-time passcode authentication will be enabled for all existing tenants and new tenants.
OTP users must use the https://myapps.microsoft.com/?tenantid=<tenant id> , https://portal.azure.com/<tenant id> or https://myapps.microsoft.com/<verified domain>.onmicrosoft.com when they authenticate. In above <tenant id> should replace with the organization’s tenant ID. <verified domain> should replace using the verified domain details.
Let’s go ahead and see how OTP works with Azure AD B2B Guest Users.
Enable OTP Feature
To start, first, we need to enable the OTP feature for guest users.
1. Log in to Azure portal as Global Administrator
2. Then go to Azure Active Directory
3. Go to External Identities | All Identity Providers
4. From the list of configured Identity providers, click on Email one-time passcode (Preview)
5. From the options list, first, click on Enable email one-time passcode for guests effective now and then Save
Now we have enabled the feature and the next step is to test OTP authentication. To do this, I am first going to invite a user to the Azure AD group and make him a member of Sales & Marketing.
Create Azure AD B2B Guest User
1. Go to Azure Active Directory
2. Click on Users
3. Then click on + New guest user
4. On the new page, click on the Invite User option first and then type user details. In this demo, I will also add the user to the sales & marketing group. Once all the details are in place, click on Invite.
5. As expected, the guest user received the invitation.
6. I went ahead and click on the invitation. As expected, it offers to send OTP code.
7. In a few seconds, I received the OTP code as an email.
8. Then I use the code and it logs me in successfully.
9. Also, when I check the user account details under Azure AD, it shows OTP as the login type.
Hope now you have a better understanding of how OTP authentication works for Azure AD B2B Guest users. If you have any further questions feel free to contact me on firstname.lastname@example.org also follow me on Twitter @rebeladm to get updates about new blog posts.