SharePoint Online enabled MFA for guest accounts, but I see the onetime passcode

%3CLINGO-SUB%20id%3D%22lingo-sub-3026992%22%20slang%3D%22en-US%22%3ESharePoint%20Online%20enabled%20MFA%20for%20guest%20accounts%2C%20but%20I%20see%20the%20onetime%20passcode%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3026992%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20enabled%20MFA%20for%20guest%20accounts%20in%20a%20conditional%20access%20policy.%20I%20test%20it%202%20weeks%20before%20with%20some%20gmail%20and%20hotmail%20private%20accounts%20and%20SharePoint.%20It%20was%20working%20fine.%20The%20guest%20accounts%20needed%20to%20do%20the%20MFA%20configuration%20and%20authentication.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENow%20I%20see%20at%20some%20guest%20account%20it%20receives%20the%20onetime%20passcode.%20I%20now%20this%20features%20is%20just%20rolled%20out%20by%20MS%20in%20november%20and%20is%20default%20enabled%20on%20all%20tenants.%20But%20what%20is%20now%20the%20behaviour%20with%20the%20onetime%20passcode%20and%20MFA%20for%20guest%20accounts%3F%20Do%20they%20get%20both%20or%20just%20one%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fexternal-identities%2Fone-time-passcode%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EOne-time%20passcode%20authentication%20for%20B2B%20guest%20users%20-%20Azure%20AD%20%7C%20Microsoft%20Docs%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22otp-send-code.png%22%20style%3D%22width%3A%20482px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F331208i35C6F956E21B4AA2%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22otp-send-code.png%22%20alt%3D%22otp-send-code.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22otp-send-code.png%22%20style%3D%22width%3A%20482px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F331209iE15C3BA4F43D9532%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22otp-send-code.png%22%20alt%3D%22otp-send-code.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESee%20picture%20below%20for%20conditional%20access%20for%20all%20guest%20accounts%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Azure-AD-conditional-access.png%22%20style%3D%22width%3A%20822px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F331192i7716315B4E0DA7CF%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Azure-AD-conditional-access.png%22%20alt%3D%22Azure-AD-conditional-access.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-3026992%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ESharePoint%20Online%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3027938%22%20slang%3D%22en-US%22%3ERe%3A%20SharePoint%20Online%20enabled%20MFA%20for%20guest%20accounts%2C%20but%20I%20see%20the%20onetime%20passcode%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3027938%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1236282%22%20target%3D%22_blank%22%3E%40Kem_Mal%3C%2FA%3E%26nbsp%3BHello%2C%20these%20are%20two%20different%20things.%20You%20have%20the%20CA%20enforcement%20of%20MFA%20configured%20for%20your%20external%20users%20according%20to%20the%20dump%2C%20and%20then%20you%20have%20the%20auto-enabling%20of%20OTP%20which%20is%20best%20described%20by%20attaching%20this.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22ChristianJBergstrom_0-1638460526495.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F331252i549FF1232D0597BC%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22ChristianJBergstrom_0-1638460526495.png%22%20alt%3D%22ChristianJBergstrom_0-1638460526495.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ELet%20me%20add%20this%20for%20the%20redemption%20flow%20as%20well%20(the%20invite)%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fexternal-identities%2Fredemption-experience%23invitation-redemption-flow%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EInvitation%20redemption%20in%20B2B%20collaboration%20-%20Azure%20AD%20%7C%20Microsoft%20Docs%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EConsider%20enabling%20this%20(the%20way%20going%20forward)%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fsharepoint%2Fsharepoint-azureb2b-integration%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EAzure%20AD%20B2B%20integration%20for%20SharePoint%20%26amp%3B%20OneDrive%20-%20SharePoint%20in%20Microsoft%20365%20%7C%20Microsoft%20Docs%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

We enabled MFA for guest accounts in a conditional access policy. I test it 2 weeks before with some gmail and hotmail private accounts and SharePoint. It was working fine. The guest accounts needed to do the MFA configuration and authentication. 

 

Now I see at some guest account it receives the onetime passcode. I now this features is just rolled out by MS in november and is default enabled on all tenants. But what is now the behaviour with the onetime passcode and MFA for guest accounts? Do they get both or just one?

 

One-time passcode authentication for B2B guest users - Azure AD | Microsoft Docs

 

otp-send-code.png

otp-send-code.png

 

 

See picture below for conditional access for all guest accounts:

 

Azure-AD-conditional-access.png

5 Replies

@Kem_Mal Hello, these are two different things. You have the CA enforcement of MFA configured for your external users according to the dump, and then you have the auto-enabling of OTP which is best described by attaching this.

 

ChristianJBergstrom_0-1638460526495.png

 

 

Let me add this for the redemption flow as well (the invite)

Invitation redemption in B2B collaboration - Azure AD | Microsoft Docs

 

Consider enabling this (the way going forward)

Azure AD B2B integration for SharePoint & OneDrive - SharePoint in Microsoft 365 | Microsoft Docs

Thanks Christian. What is the behaviour of MS guest accounts already registered in AAD?
What is the behaviour of non-MS guest (for example gmail) accounts already registered in AAD?

What is the behaviour of new MS guest accounts (not registered in AAD)?
What is the behaviour of new non-MS guest (for example gmail) accounts (not registered in AAD)?
You have to do your own reading here. I believe the docs referenced by us already have this info. If you need further assistance go with the official support (ticket from M365 admin center).
Hi Christian, thats my problem. The documentation about OTP dont talk about the combination with MFA. And the documentation about MFA dont talk about OTP. I created a support ticket, but it looks they also dont know. I was hoping someone from this community knows it.
That's because they are not associated. I think you're confusing the "old" SharePoint external sharing OTP feature and the "new" Azure AD B2B EOTP (email one-time passcode) using Azure B2B Invitation Manager, with software and hardware tokens used for MFA. The EOTP feature in Azure AD is an identity provider for authentication for users not having an Azure AD or Microsoft account.

You should verify AAD B2B EOTP setting and the activation of AAD B2B integration of SharePoint and OneDrive while you're at it. The flow will be more seamless.