Mandatory one-time password is coming, are you ready?

Posted by Harri Jaakkonen Posted on 03/12/2021 0 Comments on Mandatory one-time password is coming, are you ready?
Posted in Azure, Azure B2B, Identity
Hand-drawn lock and key illustration | free image by rawpixel.com | Key drawings, Lock drawing, Bird pencil drawing

Microsoft has statement in the in their docs saying.

Starting November 1, 2021, we’ll begin rolling out a change to turn on the email one-time passcode feature for all existing tenants and enable it by default for new tenants. At that time, Microsoft will no longer support the redemption of invitations by creating unmanaged (“viral” or “just-in-time”) Azure AD accounts and tenants for B2B collaboration scenarios. We’re enabling the email one-time passcode feature because it provides a seamless fallback authentication method for your guest users. However, you have the option of disabling this feature if you choose not to use it. To minimize disruptions during the holidays and deployment lockdowns, the majority of tenants will see changes rolled out in January 2022.

Enabled by default?

Yes, enabled by default but this is actually good news and you can disable the OTP requirement if needed.

The email one-time passcode feature is a way to authenticate B2B collaboration users when they can’t be authenticated through other means, such as Azure AD, Microsoft account (MSA), or social identity providers. When a B2B guest user tries to redeem your invitation or sign in to your shared resources, they can request a temporary passcode, which is sent to their email address. Then they enter this passcode to continue signing in.

The process

Email one-time passcode overview diagram

When does a guest user get a one-time passcode?

When a guest user redeems an invitation or uses a link to a resource that has been shared with them, they’ll receive a one-time passcode if:

  • They do not have an Azure AD account
  • They do not have a Microsoft account
  • The inviting tenant did not set up federation with social (like Google) or other identity providers.

At the time of invitation, there’s no indication that the user you’re inviting will use one-time passcode authentication. But when the guest user signs in, one-time passcode authentication will be the fallback method if no other authentication methods can be used.

How to enable OTP for guest users?

  1. Sign in to the Azure portal as an Azure AD global administrator.
  2. In the navigation pane, select Azure Active Directory.
  3. Select External Identities > All identity providers.
  4. Select Email one-time passcode to open the configuration pane.
  5. Under Email one-time passcode for guests, select one of the following:

Automatically enable email one-time passcode for guests starting <date> if you don’t want to enable the feature immediately and want to wait for the November 1, 2021 automatic enablement date.

Enable email one-time passcode for guests effective now to enable the feature now.

Yes to enable the feature now if you see a Yes/No toggle (this toggle appears if the feature was previously disabled).

Email one-time passcode toggle enabled

Email one-time passcode settings have moved in the Azure portal from External collaboration settings to All identity providers. If you see a toggle instead of the email one-time passcode options, this means you’ve previously enabled, disabled, or opted into the preview of the feature. Select No to disable the feature.

Ways of creating a Azure B2B Guest user

When you open users blade from Azure portal you will the the following.

You can either create the user manually.

Or you can invite the user

If you invite they will be greeted with invitation email to their login address.

The elements of the B2B collaboration invitation email

Screenshot showing the B2B invitation email

Explaining the email

Let’s look at a few elements of the email so you know how best to use their capabilities.

Subject

The subject of the email follows this pattern:

<username> invited you to access applications within their organization.

From address

We use a LinkedIn-like pattern for the From address. This pattern should make it clear that although the email comes from invites@microsoft.com, the invitation is from another organization. The format is: Microsoft Invitations invites@microsoft.com or Microsoft invitations on behalf of <tenantname> invites@microsoft.com.

Reply To

The reply-to email is set to the inviter’s email when available, so that replying to the email sends an email back to the inviter.

Phishing warning

The email starts with a brief warning to the user about phishing, alerting them that they should only accept invitations they’re expecting. It’s good practice to make sure the partners you’re inviting will not be surprised by your invitation by mentioning it to them ahead of time.

Accept button and redirect URL

The next section of the email contains information about where the invitee will be taken after they accept the invitation, as well as a button to do so. In the future, the invitee can always use this link to return to your resources directly.

The footer contains more information about the invitation being sent. There is always an option for the invitee to block future invitations. If the organization has set a privacy statement, the link to the statement is displayed here. Otherwise, a note indicates the organization hasn’t set a privacy statement.

Image of the footer section in the email

That’s all folks! Until next time.

KEEP CALM AND SHIP THAT OTP - Keep Calm and Posters Generator, Maker For Free - KeepCalmAndPosters.com
Author: Harri Jaakkonen

Leave a Reply

Your email address will not be published. Required fields are marked *