Share via

Sharepoint: B2B integration enabled and conditional access requesting MFA when sharing with Guest

Sergio Londono 811 Reputation points
2025-02-20T17:56:19.48+00:00

Hello,

in my tenant I have a conditional access policy requesting MFA for all Guest.
User's image

In sharepoint, I enabled Sharepoint B2B integration with Entra ID

User's image

One Time passcode is enabled

User's image

Internal user share a file from Sharepoint, the guest account is created in my tenant directory as a guest and the the invitation is pending for acceptance

User's image

When the external user redeem the sharing link, he is requesting to do OTP
User's image

Then, the guest account is created and requested for MFA registration
User's image

The guest account is created and with authentication method MIcrosoft Authenticator.
User's image

The guest is able to access the shared file

User's image

So, here is the issue.
If later, an internal member share a file with the guest account, this is requested to do OTP and MFA using Microsoft Authenticator, Meaning, he needs to verify 2 times the identity.

I.e: user is not authenticated in Gmail, let suppose after 2 days.

User's image

one day the external guest access his email and see the sharing link:
User's image

He is requested to do OTP:

User's image

and then, do MFA using authenticator
User's image

User's image

As you can see the guest accounts in Gmail are required to do 2 times the MFA, one using OTP for verify the account in Gmail, and other MFA requested by the conditional access.

Question:
Is there any way that gmail guest account not request OTP and only provide the MFA using Microsoft Authenticator?

Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
3,046 questions
0 comments
Accepted answer
  1. Sanoop M 1,000 Reputation points Microsoft Vendor
    2025-02-21T23:37:07.63+00:00

    Hello @Sergio Londono,

    Thank you for posting your query on Microsoft Q&A.

    Based on your issue description, I understand that the guest accounts in your tenant are required to do 2 times the MFA, one using OTP for verify the account in Gmail, and other MFA requested by the Conditional access policy.

    Question: Is there any way that gmail guest account not request OTP and only provide the MFA using Microsoft Authenticator?

    Answer:

    I understand that you have configured Email one-time passcode as an Identity Provider under All identity providers in External Identities configuration page in your Microsoft Entra ID tenant as shown in the below screenshot.

    User's image

    Since you have selected the option as Yes for Email one-time passcode for guests, it is an expected behavior that each time the guest user signs in to your directory, they receive a passcode via email for authentication.

    User experience for one-time passcode guest users

    When the email one-time passcode feature is enabled, newly invited users who meet certain conditions will use one-time passcode authentication. Guest users who redeemed an invitation before email one-time passcode was enabled will continue to use their same authentication method.

    With one-time passcode authentication, the guest user can redeem your invitation by clicking a direct link or by using the invitation email. In either case, a message in the browser indicates that a code will be sent to the guest user's email address. The guest user selects Send code:

    A passcode is sent to the user’s email address. The user retrieves the passcode from the email and enters it in the browser window:

    The guest user is now authenticated, and they can see the shared resource or continue signing in.

    When does a guest user get a one-time passcode?

    When a guest user redeems an invitation or uses a link to a resource that has been shared with them, they’ll receive a one-time passcode if:

    • They don't have a Microsoft Entra account.
    • They don't have a Microsoft account.
    • The inviting tenant didn't set up federation with social (like Google) or other identity providers.
    • They don't have any other authentication method or any password-backed accounts.
    • Email one-time passcode is enabled.

    Enable or disable email one-time passcodes

    The email one-time passcode feature is now turned on by default for all new tenants and for any existing tenants where you haven't explicitly turned it off. This feature provides a seamless fallback authentication method for your guest users. If you don't want to use this feature, you can disable it, in which case users will be prompted to create a Microsoft account.

    Question:

    Is there any way that gmail guest account not request OTP and only provide the MFA using Microsoft Authenticator?

    Answer:

    If you don't want the guest users to get email OTP on their gmail account and only get MFA using Microsoft Authenticator, then you have to select Email one-time passcode for guests option to No as mentioned in the below Screenshot for your reference.

    User's image

    Note:

    If you don't want to use this feature, you can disable it, in which case users will be prompted to create a Microsoft account.

    For additional details, please refer to the below document for your reference.

    Email one-time passcode authentication - Microsoft Entra External ID | Microsoft Learn

    I hope this above information provided is helpful. Please feel free to reach out if you have any further questions.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.