How do guest users change passwords?

Jakob Rohde · ‎Mar 23 2017

Hi

The title says it all - I have been searching for a detailed description of how guest users change their passwords.

Are the guest user account somehow tied to their on-prem AD account so it is SSO? If not, do we, at the host tenant, need to activate self service password reset and how do we specify password rules?

Thanks,

Jakob

Joe McNicholas · ‎Mar 27 2017

Hi Jakob

The guest users are "by design" not full users in your Azure AD, and you don't hold their password. Their representation in the Azure AD is just a sort of "link" back to their real account. As such, the users come from other sources like

- Their own Office 365 tenant

- A "just in time" tenant (for users who don't have an MS account of any sort)

- A Microsoft account

When they use your resources as guests, they are authenticated back to their source directory, not your Azure AD. So, the user must manage/chnage the password in their source environment.

Thanks

Joe

VI_Migration · ‎Apr 04 2017

Thanks for the question Jakob - and your response Joe.

Here are the details about SSPR for the B2B user that is invited to a resource tenancy from their identity tenancy:

SSPR will happen only in the identity tenancy of the B2B user

If the identity tenancy is MSA – uses the MSA SSPR mechanism
If the identity tenancy is a JIT/Viral tenancy, a password reset email will be sent
For others, the standard SSPR process will be followed for B2B users, similar to members

SSPR for B2B users in the context of the resource tenancy will be blocked.

Hope this helps.

Please try this out and let us know if you have any issues!

Ned Bellavance · ‎May 28 2017

Hi all,

In regards to external user passwords, is there any control over password policies in the tenant with the linked account? I have a client who is interested in using Azure AD B2B to provide access to a custom application to other partners. They want to be able to specify the password complexity, lockout, and expiration. I don't think that Azure AD B2B has any control over these policies, since the identity provider is outside of their tenant, but I wanted to check and see if any of these are possible. I think the most important items are the password expiration and complexity.

The alternative is to simply provide each partner a full Azure AD account, but that would obviously require additional licensing and management.

Sarat Subramaniam · ‎Jul 06 2017

Ned - you are correct. Since B2B is about federating with external identity providers - the partner org would own the password strength policies etc.

I assume the customer is asking for password strength policy enforcement because they want a higher proof of the partner users' identities. If that's the case, then they can enable MFA for guest user access that will achieve the same goal.

VI_Migration · ‎Apr 04 2017

Thanks for the question Jakob - and your response Joe.

Here are the details about SSPR for the B2B user that is invited to a resource tenancy from their identity tenancy:

SSPR will happen only in the identity tenancy of the B2B user

If the identity tenancy is MSA – uses the MSA SSPR mechanism
If the identity tenancy is a JIT/Viral tenancy, a password reset email will be sent
For others, the standard SSPR process will be followed for B2B users, similar to members

SSPR for B2B users in the context of the resource tenancy will be blocked.

Hope this helps.

Please try this out and let us know if you have any issues!

View solution in original post

How do guest users change passwords?

How do guest users change passwords?

Re: How do guest users change passwords?

Re: How do guest users change passwords?

Re: How do guest users change passwords?

Re: How do guest users change passwords?

Re: How do guest users change passwords?

Products (50)

Special Topics (27)

Video Hub (462)

Most Active Hubs

Most Active Hubs

Video Hub

How do guest users change passwords?