Forum Discussion
How do guest users change passwords?
- Apr 04, 2017
Thanks for the question Jakob - and your response Joe.
Here are the details about SSPR for the B2B user that is invited to a resource tenancy from their identity tenancy:
- SSPR will happen only in the identity tenancy of the B2B user
- If the identity tenancy is MSA – uses the MSA SSPR mechanism
- If the identity tenancy is a JIT/Viral tenancy, a password reset email will be sent
- For others, the standard SSPR process will be followed for B2B users, similar to members
SSPR for B2B users in the context of the resource tenancy will be blocked.
Hope this helps.
Please try this out and let us know if you have any issues!
Hi Jakob
The guest users are "by design" not full users in your Azure AD, and you don't hold their password. Their representation in the Azure AD is just a sort of "link" back to their real account. As such, the users come from other sources like
- Their own Office 365 tenant
- A "just in time" tenant (for users who don't have an MS account of any sort)
- A Microsoft account
When they use your resources as guests, they are authenticated back to their source directory, not your Azure AD. So, the user must manage/chnage the password in their source environment.
Thanks
Joe
- Sarat SubramaniamApr 04, 2017Microsoft
Thanks for the question Jakob - and your response Joe.
Here are the details about SSPR for the B2B user that is invited to a resource tenancy from their identity tenancy:
- SSPR will happen only in the identity tenancy of the B2B user
- If the identity tenancy is MSA – uses the MSA SSPR mechanism
- If the identity tenancy is a JIT/Viral tenancy, a password reset email will be sent
- For others, the standard SSPR process will be followed for B2B users, similar to members
SSPR for B2B users in the context of the resource tenancy will be blocked.
Hope this helps.
Please try this out and let us know if you have any issues!
- May 28, 2017
Hi all,
In regards to external user passwords, is there any control over password policies in the tenant with the linked account? I have a client who is interested in using Azure AD B2B to provide access to a custom application to other partners. They want to be able to specify the password complexity, lockout, and expiration. I don't think that Azure AD B2B has any control over these policies, since the identity provider is outside of their tenant, but I wanted to check and see if any of these are possible. I think the most important items are the password expiration and complexity.
The alternative is to simply provide each partner a full Azure AD account, but that would obviously require additional licensing and management.
- Sarat SubramaniamJul 06, 2017Microsoft
Ned - you are correct. Since B2B is about federating with external identity providers - the partner org would own the password strength policies etc.
I assume the customer is asking for password strength policy enforcement because they want a higher proof of the partner users' identities. If that's the case, then they can enable MFA for guest user access that will achieve the same goal.