cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Questions about B2B guest password management, storage and resets

Shayne Wright
Copper Contributor

‎Jun 22 2017 11:20 AM - last edited on ‎Jan 14 2022 04:49 PM by

‎Jun 22 2017 11:20 AM - last edited on ‎Jan 14 2022 04:49 PM by

Questions about B2B guest password management, storage and resets

Hi

 

First I'd like to confirm my understanding that the passwords for invited guests are managed in the guest/partner's own identity provider and not in our (resource provider) AAD tenant?

 

I'd also like to confirm if at any time the guest password is actually copied to or stored in our AAD tenant for the purpose of credential authentication. I assume that AAD B2B uses pass-through authentication to the guest's identity provider, but need to confirm the guest passwords never leave the guest's identity provider.

 

Second-lastly the question was raised in another question about password resets, but unanswered, and that is if we use AAD B2B Collaboration and our guest's have their own identity provider, can we apply any form of password rules on our side regarding password length, complexity or expiry?

 

And lastly, I'd like to know if there is any user/technical documentation regarding SSPR process as outlined in the discussion about password resets?

https://techcommunity.microsoft.com/t5/Azure-Active-Directory-B2B/How-do-guest-users-change-password...

 

Thanks and take care,

Shayne

Labels:
11K Views
1 Like
1 Reply
Reply
1 Reply
best response confirmed by Shayne Wright (Copper Contributor)
Sarat Subramaniam

‎Jul 06 2017 08:11 AM

‎Jul 06 2017 08:11 AM

Solution

Re: Questions about B2B guest password management, storage and resets

Hi Shayne-

 

B2B by default uses federated authentication. So that the guest passwords never leave the partner org. Also, the password policies are managed by the partner org.

 

The resource organization (the one that has invited the partner user into their directory) - can enable MFA for the B2B users inorder to increase the identity proof of the partner user signing in.

 

Password resets also happen in the partner organization. I responded in the thread you have referenced, but pasting my response here for your convenience:

 

Here are the details about SSPR for the B2B user that is invited to a resource tenancy from their identity tenancy:

 

  1. SSPR will happen only in the identity tenancy of the B2B user
    1. If the identity tenancy is MSA – uses the MSA SSPR mechanism
    2. If the identity tenancy is a JIT/Viral tenancy, a password reset email will be sent
    3. For others, the standard SSPR process will be followed for B2B users, similar to members

 SSPR for B2B users in the context of the resource tenancy will be blocked.

 

Hope this helps. 

 

Please try this out and let us know if you have any issues!

0 Likes
Reply
1 best response

Accepted Solutions
best response confirmed by Shayne Wright (Copper Contributor)
Sarat Subramaniam

‎Jul 06 2017 08:11 AM

‎Jul 06 2017 08:11 AM

Solution

Re: Questions about B2B guest password management, storage and resets

Hi Shayne-

 

B2B by default uses federated authentication. So that the guest passwords never leave the partner org. Also, the password policies are managed by the partner org.

 

The resource organization (the one that has invited the partner user into their directory) - can enable MFA for the B2B users inorder to increase the identity proof of the partner user signing in.

 

Password resets also happen in the partner organization. I responded in the thread you have referenced, but pasting my response here for your convenience:

 

Here are the details about SSPR for the B2B user that is invited to a resource tenancy from their identity tenancy:

 

  1. SSPR will happen only in the identity tenancy of the B2B user
    1. If the identity tenancy is MSA – uses the MSA SSPR mechanism
    2. If the identity tenancy is a JIT/Viral tenancy, a password reset email will be sent
    3. For others, the standard SSPR process will be followed for B2B users, similar to members

 SSPR for B2B users in the context of the resource tenancy will be blocked.

 

Hope this helps. 

 

Please try this out and let us know if you have any issues!

View solution in original post

0 Likes
Reply