Forum Discussion

Shayne Wright's avatar
Shayne Wright
Copper Contributor
Jun 22, 2017
Solved

Questions about B2B guest password management, storage and resets

Hi   First I'd like to confirm my understanding that the passwords for invited guests are managed in the guest/partner's own identity provider and not in our (resource provider) AAD tenant?   I'd...
Azure AD B2B
  • Sarat Subramaniam's avatar
    Sarat Subramaniam
    Jul 06, 2017

    Hi Shayne-

     

    B2B by default uses federated authentication. So that the guest passwords never leave the partner org. Also, the password policies are managed by the partner org.

     

    The resource organization (the one that has invited the partner user into their directory) - can enable MFA for the B2B users inorder to increase the identity proof of the partner user signing in.

     

    Password resets also happen in the partner organization. I responded in the thread you have referenced, but pasting my response here for your convenience:

     

    Here are the details about SSPR for the B2B user that is invited to a resource tenancy from their identity tenancy:

     

    1. SSPR will happen only in the identity tenancy of the B2B user
      1. If the identity tenancy is MSA – uses the MSA SSPR mechanism
      2. If the identity tenancy is a JIT/Viral tenancy, a password reset email will be sent
      3. For others, the standard SSPR process will be followed for B2B users, similar to members

     SSPR for B2B users in the context of the resource tenancy will be blocked.

     

    Hope this helps. 

     

    Please try this out and let us know if you have any issues!

Sarat Subramaniam's avatar
Sarat Subramaniam
Icon for Microsoft rankMicrosoft
Jul 06, 2017

Hi Shayne-

 

B2B by default uses federated authentication. So that the guest passwords never leave the partner org. Also, the password policies are managed by the partner org.

 

The resource organization (the one that has invited the partner user into their directory) - can enable MFA for the B2B users inorder to increase the identity proof of the partner user signing in.

 

Password resets also happen in the partner organization. I responded in the thread you have referenced, but pasting my response here for your convenience:

 

Here are the details about SSPR for the B2B user that is invited to a resource tenancy from their identity tenancy:

 

  1. SSPR will happen only in the identity tenancy of the B2B user
    1. If the identity tenancy is MSA – uses the MSA SSPR mechanism
    2. If the identity tenancy is a JIT/Viral tenancy, a password reset email will be sent
    3. For others, the standard SSPR process will be followed for B2B users, similar to members

 SSPR for B2B users in the context of the resource tenancy will be blocked.

 

Hope this helps. 

 

Please try this out and let us know if you have any issues!

Resources