Azure AD makes sharing and collaboration seamless for any user with any account
Published Jan 28 2019 05:00 PM 36.7K Views

Howdy folks,


Azure AD B2B Collaboration provides customers with an easy way to share applications and collaborate with people from any organization, whether or not they have Azure AD or an IT department. We’ve been working to make B2B Collaboration even more seamless by helping partners bring their own identity. For example, last summer we announced support for Google social IDs.


Today, I'm thrilled to announce the next major step for B2B Collaboration—the public preview of email one-time passcodes (OTP), which lets you support B2B sharing with anyone in the world with an email account!


With email OTP, any partner who doesn't have an existing Microsoft-backed account or Google social ID can seamlessly access shared resources and collaborate without having to create a new account. When you invite a guest who doesn’t have an Azure AD, Google, or Microsoft Account, they can use their existing email account to collaborate. Each time they sign-in using Azure AD, they receive an OTP code via email, which they can enter to prove continued ownership of the email inbox.


By using this new capability, you allow guest users to use their work email account for authentication while making sure your corporate resources are protected by the same security standards that are mandated by your partner organization. In addition, you can optionally apply additional security through conditional access and Multi-Factor Authentication (MFA).


Guests using email OTP are just like any other B2B guests, and they have access to the same Azure AD features.

 

OTP 1.png

 

Our Email OTP capability also has built-in lightweight lifecycle management. Each authentication session only lasts 24 hours, after which guests have to re-authenticate with a new email OTP. This means your guests have to prove they still have access to their work email inboxes and have not left the partner company every 24 hours.


Email OTP enables you to collaborate with anyone, no matter where they are in their cloud journey. If your partner organization is not yet in the cloud or in a hybrid environment, on-premises guests can simply sign in with email OTP instead of having to use cloud sync, federation, or another solution.


Let me walk you through the user sign in experience. At redemption time and subsequent authentications, the guest sees a sign in prompt that asks them to request a code.

 

OTP 2.png

 

Then, they receive a one-time passcode code via email, which allows them to sign in.

 

OTP 3.png

 

We’re very excited for you to try email OTP, so go ahead and dive into the documentation to see how to preview email OTP today! Let us know your thoughts about the feature design by completing our survey.

 

And let us know what you think in the comments below or post your feedback and suggestions in our Azure AD UserVoice feedback forum.

 

Best regards,

Alex Simons (@Alex_A_Simons )

Corporate VP of Program Management

Microsoft Identity Division

26 Comments
Steel Contributor

Excellent news !

Deleted
Not applicable

Big news. Glad to see this covers everyone now. I like the 24-hour check to ensure the guest is still employed. Was a major risk at a previous employer that limited our use of external access. Well done.

Silver Contributor

The survey asks for an opinion to make this enabled for everyone with no off switch. Some might consider such auth not secure enough (email with a working code leaks). I think it might be a default for a new tenant, but not without an off switch.

Steel Contributor

Will this in some way replace the one time passcode sent in the new sharing experience in SharePoint that also senda out a one-time passcode described here: https://techcommunity.microsoft.com/t5/OneDrive-Blog/Introducing-a-new-secure-external-sharing-exper... ?

Microsoft

@Jonas Back This will replace the one-time passcode sent in SharePoint soon. Please watch the message center for an announcement from OneDrive/SharePoint coming later.

Copper Contributor

This is a good feature/addition! 

What about ‘federation across multiple O365 tenants’ though? Wherby tenants can enjoy a seamless GAL, IM Presence and easy adding of users from GAL to SP sites/groups etc. across the tenants. Just like one would do these things within a single tenant? Any info/thoughts on this please?

@Alex Simons (AZURE) are you guys working to add a multi factor authentication option to it? There is a lot of requests for it.
Silver Contributor

Well, they say in the article "In addition, you can optionally apply additional security through conditional access and Multi-Factor Authentication (MFA)."

@wroot and @Alex Simons (AZURE) thanks for the reply and I framed it wrong. Will it be possible to trigger MFA via a different channel? So not two times a check via the mailadres, but also one via the Authenticator app or text message?
Bronze Contributor

Excellent, love to see even more possiblities: what ever ANY (device, operation system, cloud, tenant, resource, account,...). Why not also support custom OpenId Connect providers directly; makeing it even easier to support different identity providers in your own tenant in an environment Ops are very familiar with (just like a sub in your own Azure AD, but not like B2C). Truly Pointing to One Secure Identity that also supports MFA:

https://azure.microsoft.com/en-us/overview/decentralized-identity/
https://identity.foundation/

Silver Contributor

Robin, i haven't played with the Authenticator app, but isn't it required to have some sort of account for it?

@wroot Well I'm not sure, so hoping @Alex Simons (AZURE) can chip in. According my knowledge and customer feedback, the MFA is actioned twice via the email address. Which is of course not 100% secure. Because what if you make an typo of the email address?
Iron Contributor

@Robin van Setten  The feature Alex is referring to is back by Condition Access. The login introduced here is a OTP solution based on email. Based on this AAD guest user the normal Azure AD Conditional Access feature will work and you can craft a rule to enforce MFA for these users. This Azure AD MFA is based on the Authenticator App (or PhoneCall or SMS or Code). Email is not an option! Be aware that this feature will require a Azure AD Premium License (P1). As these OPT account are clearly not based on Azure AD these account are require a license based on a 1:5 ration as metioned in this article:

https://docs.microsoft.com/en-us/azure/active-directory/b2b/licensing-guidance

Thanks @Marco Scheel, this clarifies. Sorry for my lack of knowledge. I will discuss this with the team and if I have questions I'll post another comment. Thank you all
Copper Contributor

So is this how it is used:

 

We create the user in Azure as a Guest - They get the Email - Get the code - And can then for 24hrs access our information? For example: We have claims that have files coming in constantly - We use SharePoint sites for this instance - Could the individual use this way to just login to SP directly - Or how would we get this to be used with SP?

 

Any suggestions/ideas would be awesome!

 

Thanks

Justin

Silver Contributor

You may create guests users manually before hand, but this is not required. I think this should work this way: you share something via SPO/OneDrive and specify email address. That user receives an email with a link to shared content (maybe even another email with a code right away), then presses on that link and it asks to login. After specifying email address Azure sees that there is no MS ID or Azure ID with that email and then sends a code to that email. Maybe it is possible to first add a guest user, then add it to permissions of some content (SPO or other) and this way allow to login and reach that content (library, etc.), but i'm not sure about it.

Great work and the 24 cap is a must ! Well done. 

Brass Contributor

Cool. One of the expected feature. Well done team!

Hi Guys,

I Enabled this in My Tenant  - Work like Charm

but one thing not working - wonder if it's happen only me

I Add Guest User In AAD - and he Click Get Started - and type the OTP - all good

then I Added him to Guest to my Team

he click on the Mail - Open Team - and  use open Web Instead the Desktop APP

then we got another OTP to his mail - he type it - and logon the Microsoft Teams (Amazing) with only  OTP

But - After 3-4 Seconds he Just log-out by Teams for unknown reason 

 

any idea why ?


@Alex Simons (AZURE) wrote:

Howdy folks,


Azure AD B2B Collaboration provides customers with an easy way to share applications and collaborate with people from any organization, whether or not they have Azure AD or an IT department. We’ve been working to make B2B Collaboration even more seamless by helping partners bring their own identity. For example, last summer we announced support for Google social IDs.


Today, I'm thrilled to announce the next major step for B2B Collaboration—the public preview of email one-time passcodes (OTP), which lets you support B2B sharing with anyone in the world with an email account!


With email OTP, any partner who doesn't have an existing Microsoft-backed account or Google social ID can seamlessly access shared resources and collaborate without having to create a new account. When you invite a guest who doesn’t have an Azure AD, Google, or Microsoft Account, they can use their existing email account to collaborate. Each time they sign-in using Azure AD, they receive an OTP code via email, which they can enter to prove continued ownership of the email inbox.


By using this new capability, you allow guest users to use their work email account for authentication while making sure your corporate resources are protected by the same security standards that are mandated by your partner organization. In addition, you can optionally apply additional security through conditional access and Multi-Factor Authentication (MFA).


Guests using email OTP are just like any other B2B guests, and they have access to the same Azure AD features.

 

OTP 1.png

 

Our Email OTP capability also has built-in lightweight lifecycle management. Each authentication session only lasts 24 hours, after which guests have to re-authenticate with a new email OTP. This means your guests have to prove they still have access to their work email inboxes and have not left the partner company every 24 hours.


Email OTP enables you to collaborate with anyone, no matter where they are in their cloud journey. If your partner organization is not yet in the cloud or in a hybrid environment, on-premises guests can simply sign in with email OTP instead of having to use cloud sync, federation, or another solution.


Let me walk you through the user sign in experience. At redemption time and subsequent authentications, the guest sees a sign in prompt that asks them to request a code.

 

OTP 2.png

 

Then, they receive a one-time passcode code via email, which allows them to sign in.

 

OTP 3.png

 

We’re very excited for you to try email OTP, so go ahead and dive into the documentation to see how to preview email OTP today! Let us know your thoughts about the feature design by completing our survey.

 

And let us know what you think in the comments below or post your feedback and suggestions in our Azure AD UserVoice feedback forum.

 

Best regards,

Alex Simons (@Alex_A_Simons )

Corporate VP of Program Management

Microsoft Identity Division


Thanks,

Nati Papirovitch

 

 

Microsoft

@Nati Papirovitch This is a bug that Teams is fixing. Please also read more about limitations of the public preview in the documentation.

@Justin Scarborough SharePoint will soon be using B2B email OTP. Please watch the message center for an announcement from OneDrive/SharePoint coming later.

Microsoft

Great work!

Iron Contributor

@Maria_Lai : You wrote: "also read more about limitations of the public preview in the documentation"

But where I can find this? On the site https://docs.microsoft.com/en-us/azure/active-directory/b2b/one-time-passcode I can't find anything...

 

Thank You.

Brass Contributor

@Maria_Lai So I guess we cannot use this until the issue with Teams is resolved as Teams will use this by default when enabled on our tenant?  Appreciate if you can confirm and if that is the case, do we have any timings on when the issue with Teams be resolved?

Also, has this been tested across other applications like Power BI?  

 

Copper Contributor

Confirm a question, does this new feature also apply to AIP when add collaborators who use Google - Gmail to log in?

Copper Contributor

Great news!

Copper Contributor

We've encountered a few issues in the previous (non-OTP) B2B model. E.g. when the invited guest is from an email domain that corresponds to an actively owned/managed AAD tenant, but that organization has not created accounts for their employees in this tenant (and is probably not using o365 for email). In cases like this, invite redemption fails. OTP improves on this, in that if the account does not exist in the tenant, the invited guest gets the OTP experience. But we have also encountered users who do have an account in a actively owned/managed tenant, but don't know the password, and SSPR has not been enabled in that tenant. OTP would not help us in cases like this. To work around cases like this, we need to be able to force federated "External Azure AD" users to be treated as OTP guest users in out tenant. Without that, we'll still have cases where we are stuck - particularly if the IT group in that other org are uncooperative (happens all the time).

Version history
Last update:
‎Jul 24 2020 01:45 AM
Updated by: