Forum Discussion
One-time passcode authentication question
We've had a few users report that guests they've invited to groups, teams or sites were prompted for a code to sign in (as described here: One-time passcode authentication for B2B guest users - Azure AD - Microsoft Entra | Microsoft Learn
In the past, guests needed a Microsoft account of some kind to authenticate. Some complained about this, but at least it was a known quantity and the behavior was predictable.
Now, it seems that if there is an MSA (M365, Live.com, Outlook.com, etc.) associated with the email address used to invite them, they are prompted to sign in with that account.
If there is not an MSA connected to that email, then sometimes they are prompted for a code, but sometimes they are prompted to create an MSA. There doesn't seem to be any rhyme or reason, but we haven't tested very extensively.
So, the question is: is this normal? I understand that we could disable the one-time passcode authentication, but there are absolutely some valid use cases for it, so we'd rather not. I just want to understand what the expected behavior is so we know how to handle questions or issues that users report.
- Email OTP in AAD is enabled by default now. This is how it works https://learn.microsoft.com/en-us/azure/active-directory/external-identities/one-time-passcode
When sharing sites as opposed to files and folders a MS account will be needed (at least that’s how it’s been).
