SOLVED

Questions about B2B guest password management, storage and resets

%3CLINGO-SUB%20id%3D%22lingo-sub-85179%22%20slang%3D%22en-US%22%3ERe%3A%20Questions%20about%20B2B%20guest%20password%20management%2C%20storage%20and%20resets%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-85179%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Shayne-%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EB2B%20by%20default%20uses%20federated%20authentication.%20So%20that%20the%20guest%20passwords%20never%20leave%20the%20partner%20org.%20Also%2C%20the%20password%20policies%20are%20managed%20by%20the%20partner%20org.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20resource%20organization%20(the%20one%20that%20has%20invited%20the%20partner%20user%20into%20their%20directory)%20-%20can%20enable%20MFA%20for%20the%20B2B%20users%20inorder%20to%20increase%20the%20identity%20proof%20of%20the%20partner%20user%20signing%20in.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EPassword%20resets%20also%20happen%20in%20the%20partner%20organization.%20I%20responded%20in%20the%20thread%20you%20have%20referenced%2C%20but%20pasting%20my%20response%20here%26nbsp%3Bfor%20your%20convenience%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHere%20are%20the%20details%20about%20SSPR%20for%20the%20B2B%20user%20that%20is%20invited%20to%20a%20resource%20tenancy%20from%20their%20identity%20tenancy%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3COL%3E%0A%3CLI%3ESSPR%20will%20happen%20only%20in%20the%20identity%20tenancy%20of%20the%20B2B%20user%3C%2FLI%3E%0A%3COL%3E%0A%3CLI%3EIf%20the%20identity%20tenancy%20is%20MSA%20%E2%80%93%20uses%20the%20MSA%20SSPR%20mechanism%3C%2FLI%3E%0A%3CLI%3EIf%20the%20identity%20tenancy%20is%20a%20JIT%2FViral%20tenancy%2C%20a%20password%20reset%20email%20will%20be%20sent%3C%2FLI%3E%0A%3CLI%3EFor%20others%2C%20the%20standard%20SSPR%20process%20will%20be%20followed%20for%20B2B%20users%2C%20similar%20to%20members%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3C%2FOL%3E%0A%3CP%3E%26nbsp%3BSSPR%20for%20B2B%20users%20in%20the%20context%20of%20the%20resource%20tenancy%20will%20be%20blocked.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHope%20this%20helps.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EPlease%20try%20this%20out%20and%20let%20us%20know%20if%20you%20have%20any%20issues!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-81282%22%20slang%3D%22en-US%22%3EQuestions%20about%20B2B%20guest%20password%20management%2C%20storage%20and%20resets%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-81282%22%20slang%3D%22en-US%22%3E%3CP%3EHi%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFirst%20I'd%20like%20to%20confirm%20my%20understanding%20that%20the%20passwords%20for%20invited%20guests%20are%20%3CU%3Emanaged%3C%2FU%3E%20in%20the%20guest%2Fpartner's%20own%20identity%20provider%20and%20not%20in%20our%20(resource%20provider)%20AAD%20tenant%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'd%20also%20like%20to%20confirm%20if%20at%20any%20time%20the%20guest%20password%20is%20actually%20%3CU%3Ecopied%20to%20or%20stored%20in%20our%20AAD%3C%2FU%3E%20tenant%20for%20the%20purpose%20of%20credential%20authentication.%20I%20assume%20that%20AAD%20B2B%20uses%26nbsp%3Bpass-through%20authentication%20to%20the%20guest's%20identity%20provider%2C%20but%20need%20to%20confirm%20the%20guest%20passwords%20never%20leave%20the%20guest's%20identity%20provider.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESecond-lastly%20the%20question%20was%20raised%20in%20another%20question%20about%20password%20resets%2C%20but%20unanswered%2C%20and%20that%20is%20if%20we%20use%20AAD%20B2B%20Collaboration%20and%20our%20guest's%20have%20their%20own%20identity%20provider%2C%20%3CU%3Ecan%20we%20apply%20any%20form%20of%20password%20rules%3C%2FU%3E%20on%20our%20side%20regarding%20password%20length%2C%20complexity%20or%20expiry%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAnd%20lastly%2C%20I'd%20like%20to%20know%20if%20there%20is%20any%20user%2Ftechnical%20documentation%20regarding%20%3CU%3ESSPR%20process%3C%2FU%3E%20as%20outlined%20in%20the%20discussion%20about%20password%20resets%3F%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FAzure-Active-Directory-B2B%2FHow-do-guest-users-change-passwords%2Fm-p%2F56132%23M46%22%20target%3D%22_blank%22%3Ehttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FAzure-Active-Directory-B2B%2FHow-do-guest-users-change-passwords%2Fm-p%2F56132%23M46%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20and%20take%20care%2C%3C%2FP%3E%3CP%3EShayne%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-81282%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EB2B%20collaboration%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
New Contributor

Hi

 

First I'd like to confirm my understanding that the passwords for invited guests are managed in the guest/partner's own identity provider and not in our (resource provider) AAD tenant?

 

I'd also like to confirm if at any time the guest password is actually copied to or stored in our AAD tenant for the purpose of credential authentication. I assume that AAD B2B uses pass-through authentication to the guest's identity provider, but need to confirm the guest passwords never leave the guest's identity provider.

 

Second-lastly the question was raised in another question about password resets, but unanswered, and that is if we use AAD B2B Collaboration and our guest's have their own identity provider, can we apply any form of password rules on our side regarding password length, complexity or expiry?

 

And lastly, I'd like to know if there is any user/technical documentation regarding SSPR process as outlined in the discussion about password resets?

https://techcommunity.microsoft.com/t5/Azure-Active-Directory-B2B/How-do-guest-users-change-password...

 

Thanks and take care,

Shayne

1 Reply
best response confirmed by Shayne Wright (New Contributor)
Solution

Hi Shayne-

 

B2B by default uses federated authentication. So that the guest passwords never leave the partner org. Also, the password policies are managed by the partner org.

 

The resource organization (the one that has invited the partner user into their directory) - can enable MFA for the B2B users inorder to increase the identity proof of the partner user signing in.

 

Password resets also happen in the partner organization. I responded in the thread you have referenced, but pasting my response here for your convenience:

 

Here are the details about SSPR for the B2B user that is invited to a resource tenancy from their identity tenancy:

 

  1. SSPR will happen only in the identity tenancy of the B2B user
    1. If the identity tenancy is MSA – uses the MSA SSPR mechanism
    2. If the identity tenancy is a JIT/Viral tenancy, a password reset email will be sent
    3. For others, the standard SSPR process will be followed for B2B users, similar to members

 SSPR for B2B users in the context of the resource tenancy will be blocked.

 

Hope this helps. 

 

Please try this out and let us know if you have any issues!