- last edited on
The title says it all - I have been searching for a detailed description of how guest users change their passwords.
Are the guest user account somehow tied to their on-prem AD account so it is SSO? If not, do we, at the host tenant, need to activate self service password reset and how do we specify password rules?
03-27-2017 03:23 AM
The guest users are "by design" not full users in your Azure AD, and you don't hold their password. Their representation in the Azure AD is just a sort of "link" back to their real account. As such, the users come from other sources like
- Their own Office 365 tenant
- A "just in time" tenant (for users who don't have an MS account of any sort)
- A Microsoft account
When they use your resources as guests, they are authenticated back to their source directory, not your Azure AD. So, the user must manage/chnage the password in their source environment.
04-04-2017 09:17 AMSolution
Thanks for the question Jakob - and your response Joe.
Here are the details about SSPR for the B2B user that is invited to a resource tenancy from their identity tenancy:
SSPR for B2B users in the context of the resource tenancy will be blocked.
Hope this helps.
Please try this out and let us know if you have any issues!
05-28-2017 07:25 AM
In regards to external user passwords, is there any control over password policies in the tenant with the linked account? I have a client who is interested in using Azure AD B2B to provide access to a custom application to other partners. They want to be able to specify the password complexity, lockout, and expiration. I don't think that Azure AD B2B has any control over these policies, since the identity provider is outside of their tenant, but I wanted to check and see if any of these are possible. I think the most important items are the password expiration and complexity.
The alternative is to simply provide each partner a full Azure AD account, but that would obviously require additional licensing and management.
07-06-2017 06:56 AM
Ned - you are correct. Since B2B is about federating with external identity providers - the partner org would own the password strength policies etc.
I assume the customer is asking for password strength policy enforcement because they want a higher proof of the partner users' identities. If that's the case, then they can enable MFA for guest user access that will achieve the same goal.