Share via

Entra ID: How to force ALL guest users to use OTP authentication ?

Norman 0 Reputation points
2024-12-09T00:44:46.23+00:00

Is there a way to enforce OTP authentication for all guest users, including both M365 and Microsoft account users?

My use case involves sharing resources with B2B organizations that have policies preventing their employees from using corporate credentials on third-party websites due to identity and token theft concerns. Thus, the goal is to mandate OTP authentication for guest users, eliminating the need for them to enter their corporate passwords.

I did some research before posting here. All of the answers I found online say it can't be done. How would Entra ID support the above use case then, which I feel should be quite common ? Am I missing something ?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,648 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. BANDELA Siri Chandana 770 Reputation points Microsoft Vendor
    2024-12-09T15:58:04.29+00:00

    Hi @Norman

    Thank you for posting your query on Microsoft Q&A.

    I understand that you are trying to enforce OTP authentication for all guest users, including both M365 and Microsoft account users by eliminating the need of entering corporate passwords. Follow the below steps:

    1.Sign in to the Microsoft Entra admin center as at least an Authentication Policy Administrator.

    2.Browse to Identity > External Identities > All identity providers.

    3.On the Built-in tab, next to email one-time passcode, select Configured.

    4.Under Email one-time passcode for guests, select one of the following:

    Yes: The toggle is set to Yes by default unless the feature has been explicitly turned off. To enable the feature, make sure Yes is selected.

    5.Select Save.

    For more details follow the document: https://learn.microsoft.com/en-us/entra/external-id/one-time-passcode

    Hope this helps. Do let us know if you any further queries.

    If this answers your query, do click `Accept Answer` and `Yes` .

    Thanks,

    B. Siri Chandana.

  2. Raja Pothuraju 10,040 Reputation points Microsoft Vendor
    2024-12-19T17:51:49.2733333+00:00

    Hello @Norman,

    Thank you for connecting offline to discuss this issue.

    As we discussed during the call, we observed that you have an application registered under "App registrations" in Entra ID. This application/website is being accessed by users who are added as guest accounts from another organizational directory or personal Microsoft accounts within your directory. When these users attempt to access the application, there are two different scenarios based on the type of account being used:

    Personal Accounts (Microsoft Accounts/MSA): Users with personal accounts can log in to the application via email OTP (username + email OTP) without entering password credentials.

    Work or School Accounts: Users with work or school accounts can log in only using username and password, with no email OTP option available.

    Your goal is to enable email OTP login for work or school accounts as well. However, this feature is not currently supported for work or school accounts. This functionality is only available for personal Microsoft accounts that have enabled passwordless authentication.

    When a password is removed from a personal Microsoft account, it uses one of the available passwordless methods to sign in, such as the Microsoft Authenticator app, Outlook for Android, Windows Hello, physical security keys, SMS or email codes. Since your personal account users utilize passwordless methods, they can log in using username + email OTP.

    User's image

    For more details about passwordless authentication with Microsoft accounts, please refer to the following document: How to go passwordless with your Microsoft account.

    Unfortunately, this feature is not currently available for work or school accounts, which is why those users cannot log in with username + email OTP.

    I encourage you to provide feedback directly to the Azure Product Group about this feature request. You can do so via the Azure Feedback Forum, where you can suggest new features, propose enhancements, and share general feedback. Additionally, you can vote for existing ideas to help prioritize their implementation or submit your own suggestions.

    I hope this information is helpful. Please feel free to reach out if you have any further questions.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Thanks,
    Raja Pothuraju.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.