SOLVED

How do guest users change passwords?

%3CLINGO-SUB%20id%3D%22lingo-sub-85155%22%20slang%3D%22en-US%22%3ERe%3A%20How%20do%20guest%20users%20change%20passwords%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-85155%22%20slang%3D%22en-US%22%3E%3CP%3ENed%20-%20you%20are%20correct.%20Since%20B2B%20is%20about%20federating%20with%20external%20identity%20providers%20-%20the%20partner%20org%20would%20own%20the%20password%20strength%20policies%20etc.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI%20assume%20the%20customer%20is%20asking%20for%20password%20strength%20policy%20enforcement%20because%20they%20want%20a%20higher%20proof%20of%20the%20partner%20users'%20identities.%20If%20that's%20the%20case%2C%20then%20they%20can%20enable%20MFA%20for%20guest%20user%20access%20that%20will%20achieve%20the%20same%20goal.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-73526%22%20slang%3D%22en-US%22%3ERe%3A%20How%20do%20guest%20users%20change%20passwords%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-73526%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20all%2C%3C%2FP%3E%3CP%3EIn%20regards%20to%20external%20user%20passwords%2C%20is%20there%20any%20control%20over%20password%20policies%20in%20the%20tenant%20with%20the%20linked%20account%3F%20%26nbsp%3BI%20have%20a%20client%20who%20is%20interested%20in%20using%20Azure%20AD%20B2B%20to%20provide%20access%20to%20a%20custom%20application%20to%20other%20partners.%20%26nbsp%3BThey%20want%20to%20be%20able%20to%20specify%20the%20password%20complexity%2C%20lockout%2C%20and%20expiration.%20%26nbsp%3BI%20don't%20think%20that%20Azure%20AD%20B2B%20has%20any%20control%20over%20these%20policies%2C%20since%20the%20identity%20provider%20is%20outside%20of%20their%20tenant%2C%20but%20I%20wanted%20to%20check%20and%20see%20if%20any%20of%20these%20are%20possible.%20%26nbsp%3BI%20think%20the%20most%20important%20items%20are%20the%20password%20expiration%20and%20complexity.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20alternative%20is%20to%20simply%20provide%20each%20partner%20a%20full%20Azure%20AD%20account%2C%20but%20that%20would%20obviously%20require%20additional%20licensing%20and%20management.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-59676%22%20slang%3D%22en-US%22%3ERe%3A%20How%20do%20guest%20users%20change%20passwords%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-59676%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%20for%20the%20question%20Jakob%20-%20and%20your%20response%20Joe.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHere%20are%20the%20details%20about%20SSPR%20for%20the%20B2B%20user%20that%20is%20invited%20to%20a%20resource%20tenancy%20from%20their%20identity%20tenancy%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3COL%3E%0A%3CLI%3ESSPR%20will%20happen%20only%20in%20the%20identity%20tenancy%20of%20the%20B2B%20user%3C%2FLI%3E%0A%3COL%3E%0A%3CLI%3EIf%20the%20identity%20tenancy%20is%20MSA%20%E2%80%93%20uses%20the%20MSA%20SSPR%20mechanism%3C%2FLI%3E%0A%3CLI%3EIf%20the%20identity%20tenancy%20is%20a%20JIT%2FViral%20tenancy%2C%20a%20password%20reset%20email%20will%20be%20sent%3C%2FLI%3E%0A%3CLI%3EFor%20others%2C%20the%20standard%20SSPR%20process%20will%20be%20followed%20for%20B2B%20users%2C%20similar%20to%20members%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3C%2FOL%3E%0A%3CP%3E%26nbsp%3BSSPR%20for%20B2B%20users%20in%20the%20context%20of%20the%20resource%20tenancy%20will%20be%20blocked.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHope%20this%20helps.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EPlease%20try%20this%20out%20and%20let%20us%20know%20if%20you%20have%20any%20issues!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-56873%22%20slang%3D%22en-US%22%3ERe%3A%20How%20do%20guest%20users%20change%20passwords%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-56873%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Jakob%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20guest%20users%20are%20%22by%20design%22%20not%20full%20users%20in%26nbsp%3Byour%20Azure%20AD%2C%20and%20you%20don't%20hold%20their%20password.%20%26nbsp%3BTheir%20representation%20in%20the%20Azure%20AD%20is%20just%20a%20sort%20of%20%22link%22%20back%20to%20their%20real%20account.%20%26nbsp%3BAs%20such%2C%20the%20users%20come%20from%20other%20sources%20like%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E-%20Their%20own%20Office%20365%20tenant%3C%2FP%3E%3CP%3E-%20A%20%22just%20in%20time%22%20tenant%20(for%20users%20who%20don't%20have%20an%20MS%20account%20of%20any%20sort)%3C%2FP%3E%3CP%3E-%20A%20Microsoft%20account%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhen%20they%20use%20your%20resources%20as%20guests%2C%20they%20are%20authenticated%20back%20to%26nbsp%3Btheir%20source%20directory%2C%20not%20your%20Azure%20AD.%20%26nbsp%3BSo%2C%26nbsp%3Bthe%20user%20must%20manage%2Fchnage%20the%20password%20in%20their%20source%20environment.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%3C%2FP%3E%3CP%3EJoe%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-56132%22%20slang%3D%22en-US%22%3EHow%20do%20guest%20users%20change%20passwords%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-56132%22%20slang%3D%22en-US%22%3E%3CP%3EHi%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20title%20says%20it%20all%20-%20I%20have%20been%20searching%20for%20a%20detailed%20description%20of%20how%20guest%20users%20change%20their%20passwords.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAre%20the%20guest%20user%20account%20somehow%20tied%20to%20their%20on-prem%20AD%20account%20so%20it%20is%20SSO%3F%20If%20not%2C%20do%20we%2C%20at%20the%20host%20tenant%2C%20need%20to%20activate%20self%20service%20password%20reset%20and%20how%20do%20we%20specify%20password%20rules%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%2C%3C%2FP%3E%3CP%3EJakob%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-56132%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EB2B%20collaboration%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Highlighted
Occasional Contributor

Hi

 

The title says it all - I have been searching for a detailed description of how guest users change their passwords.

 

Are the guest user account somehow tied to their on-prem AD account so it is SSO? If not, do we, at the host tenant, need to activate self service password reset and how do we specify password rules?

 

Thanks,

Jakob

4 Replies
Highlighted

Hi Jakob

 

The guest users are "by design" not full users in your Azure AD, and you don't hold their password.  Their representation in the Azure AD is just a sort of "link" back to their real account.  As such, the users come from other sources like 

 

- Their own Office 365 tenant

- A "just in time" tenant (for users who don't have an MS account of any sort)

- A Microsoft account

 

When they use your resources as guests, they are authenticated back to their source directory, not your Azure AD.  So, the user must manage/chnage the password in their source environment.

 

Thanks

Joe

Highlighted
Best Response confirmed by Jakob Rohde (Occasional Contributor)
Solution

Thanks for the question Jakob - and your response Joe.

 

Here are the details about SSPR for the B2B user that is invited to a resource tenancy from their identity tenancy:

 

  1. SSPR will happen only in the identity tenancy of the B2B user
    1. If the identity tenancy is MSA – uses the MSA SSPR mechanism
    2. If the identity tenancy is a JIT/Viral tenancy, a password reset email will be sent
    3. For others, the standard SSPR process will be followed for B2B users, similar to members

 SSPR for B2B users in the context of the resource tenancy will be blocked.

 

Hope this helps. 

 

Please try this out and let us know if you have any issues!

Highlighted

Hi all,

In regards to external user passwords, is there any control over password policies in the tenant with the linked account?  I have a client who is interested in using Azure AD B2B to provide access to a custom application to other partners.  They want to be able to specify the password complexity, lockout, and expiration.  I don't think that Azure AD B2B has any control over these policies, since the identity provider is outside of their tenant, but I wanted to check and see if any of these are possible.  I think the most important items are the password expiration and complexity.

 

The alternative is to simply provide each partner a full Azure AD account, but that would obviously require additional licensing and management.

Highlighted

Ned - you are correct. Since B2B is about federating with external identity providers - the partner org would own the password strength policies etc.

 

I assume the customer is asking for password strength policy enforcement because they want a higher proof of the partner users' identities. If that's the case, then they can enable MFA for guest user access that will achieve the same goal.