Forum Discussion

Jakob Rohde's avatar
Jakob Rohde
Copper Contributor
Mar 23, 2017

How do guest users change passwords?

Hi

 

The title says it all - I have been searching for a detailed description of how guest users change their passwords.

 

Are the guest user account somehow tied to their on-prem AD account so it is SSO? If not, do we, at the host tenant, need to activate self service password reset and how do we specify password rules?

 

Thanks,

Jakob

  • Thanks for the question Jakob - and your response Joe.

     

    Here are the details about SSPR for the B2B user that is invited to a resource tenancy from their identity tenancy:

     

    1. SSPR will happen only in the identity tenancy of the B2B user
      1. If the identity tenancy is MSA – uses the MSA SSPR mechanism
      2. If the identity tenancy is a JIT/Viral tenancy, a password reset email will be sent
      3. For others, the standard SSPR process will be followed for B2B users, similar to members

     SSPR for B2B users in the context of the resource tenancy will be blocked.

     

    Hope this helps. 

     

    Please try this out and let us know if you have any issues!

  • Hi Jakob

     

    The guest users are "by design" not full users in your Azure AD, and you don't hold their password.  Their representation in the Azure AD is just a sort of "link" back to their real account.  As such, the users come from other sources like 

     

    - Their own Office 365 tenant

    - A "just in time" tenant (for users who don't have an MS account of any sort)

    - A Microsoft account

     

    When they use your resources as guests, they are authenticated back to their source directory, not your Azure AD.  So, the user must manage/chnage the password in their source environment.

     

    Thanks

    Joe

    • Sarat Subramaniam's avatar
      Sarat Subramaniam
      Icon for Microsoft rankMicrosoft

      Thanks for the question Jakob - and your response Joe.

       

      Here are the details about SSPR for the B2B user that is invited to a resource tenancy from their identity tenancy:

       

      1. SSPR will happen only in the identity tenancy of the B2B user
        1. If the identity tenancy is MSA – uses the MSA SSPR mechanism
        2. If the identity tenancy is a JIT/Viral tenancy, a password reset email will be sent
        3. For others, the standard SSPR process will be followed for B2B users, similar to members

       SSPR for B2B users in the context of the resource tenancy will be blocked.

       

      Hope this helps. 

       

      Please try this out and let us know if you have any issues!

      • Ned Bellavance's avatar
        Ned Bellavance
        MVP

        Hi all,

        In regards to external user passwords, is there any control over password policies in the tenant with the linked account?  I have a client who is interested in using Azure AD B2B to provide access to a custom application to other partners.  They want to be able to specify the password complexity, lockout, and expiration.  I don't think that Azure AD B2B has any control over these policies, since the identity provider is outside of their tenant, but I wanted to check and see if any of these are possible.  I think the most important items are the password expiration and complexity.

         

        The alternative is to simply provide each partner a full Azure AD account, but that would obviously require additional licensing and management.

Resources