Thumbnail SharePoint Guest Access and Azure AD B2B

SharePoint Guest Access and Azure AD B2B

Guest access in SharePoint is a great feature. Allowing people from other organisations to read or even collaborate on documents is an increasing phenomenon as more organisations are embracing Microsoft 365. And yet, it suffers from a few minor flaws in my view. Up till now.

SharePoint works in mysterious ways…

The issues occur when you allow your users to invite new guests from SharePoint and OneDrive:

SharePoint guest access settings

As long as you’re inviting people into your Azure AD first, and let them go through the invite redemption process, accessing SharePoint afterwards works like a glove. The key word here is ‘afterwards’. Guest access with existing Azure AD guests works fine. The issues I’m talking about start as soon as you want to invite NEW guests and you’re starting in SharePoint. This is a quite normal scenario, as an average user would not think to approach IT, he’ll just hit the ‘Share’-button and try it out.

…when sharing a file or folder with a new guest

When the average user in question would share a file or folder with a new guest, that new guest will be able to get to the document. That part works fine. But he’ll be a special type of user, a SharePoint-only email auth guest or Ad hoc external recipient. The problem is: this kind of user will not end up in Azure AD. Even though he might (over time) be granted access to a lot of documents and folders. It’s like Mr X in the ‘Scotland Yard’ board game. You never know where he is, unless you happen to step on him. He’s not even really signing in, he’ll be able to open the document using a verification code, which looks a lot like the new Azure AD one-time passcode (OTP) functionality, although it’s not the same: even if you’ve disabled OTP, guests will still be able to use this verification code to sign in.

Using a SharePoint verification code

Not being able to find these users in Azure AD not ideal in my opinion. What if you want to monitor sign-in activity for these guests, or what if you would want to block the user from accessing tenant resources? Or apply Azure AD Conditional Access policies? There is no clarity and no control.

Not ideal: SharePoint-only email auth guests cannot be found in Azure AD, which is not ideal. What if you want to monitor sign-in activity for these guests, or what if you would want to block the user from accessing tenant resources? Or apply Azure AD Conditional Access policies?

…when sharing an entire SharePoint site with a new guest

When the average user in question would share an entire site with a new guest, we see different behavior. In this case, the user will eventually be added to Azure AD, which is good. But he’ll not get the default Azure AD invitation redemption experience. He’ll get the old-fashioned SharePoint version. He’ll be asked to sign in using a Microsoft Account or Organisational account. Other federation options are not supported, even if configured in Azure AD. And OTP is also not supported here. On top of that: if you’re already signed in with your organisational account, and you click on the sharing-link, you might even not be able to redeem your invite. You might get stuck on this error:

SharePoint invite redemption flow issue

Not ideal: When inviting guests to SharePoint sites they'll not get the default Azure AD invited redemption experience. Hence they'll not benefit from all the Azure AD External Identities features.

… so is that problematic?

Is all that problematic? You could of course just disable new guests in SharePoint, but you loose a lot of powerful functionality when you do that. These little flaws mainly show what’s going on here: that there are still some areas where SharePoint and Azure AD aren’t really integrated very well. And more of these kind of little inconsistencies surface if you’re working with the tools longer.

Solution

Luckily Microsoft has been changing things. A new feature has been rolling out which makes it possible to enable a better integration between SharePoint and Azure AD which solves the issues mentioned above: new guests will always be added to Azure AD, and they’ll always go through the default Azure AD invite redemption experience plus a few extra bonuses on top of that. SharePoint and Azure AD will now work together in a more logical way. And all that by configuring it with two lines of SharePoint Online PowerShell. Be sure to install the latest version of the commandlets and run the following:


    Connect-SPOService -Url "https://<tenant>-admin.sharepoint.com"
    Set-SPOTenant -EnableAzureADB2BIntegration $true
    Set-SPOTenant -SyncAadB2BManagementPolicy $true
     

Or use the CLI for Microsoft 365, version >= 5.2.0:


    m365 spo tenant settings set --EnableAzureADB2BIntegration true    
    m365 spo tenant settings set --SyncAadB2BManagementPolicy true
     
Note: On my own development environment, the change had instant effect. On a different tenant, the change took more than a day to take effect.

SharePoint guest access and OTP

There is one important thing to keep in mind here: this change is riding on the back of another important new feature, Azure AD one-time passcodes (OTP). OTP is the recent Azure AD External Identities feature that Microsoft is pushing where you can redeem an invite and sign into another Azure AD by filling in a verification code that was sent to your emailaddress. It’s a great feature which will among other things put an end to viral tenants. Guest users will only be using the feature if they do not have a personal or organisational Microsoft account. Or a Google account for that matter, if Google federation was configured on your tenant. See this helpful redemption flow diagram to understand when it will be used.

So OTP is an optional setting that allows for a quicker invite redemption and sign in experience for some guest users. Microsoft initially communicated that this setting would be enabled by default in October 2021, but the deployment schedule has been changed, the setting will now be enabled by default in July 2022. You can opt out or opt in though.

Enabling/disabling OTP Enabling or disabling OTP

And that’s important, because if you opt out, you’ll not be able to use the new SharePoint and Azure AD B2B integrated experience. If you haven’t enabled OTP and you execute the commandlets, you’ll get the following warning:


    WARNING: Make sure to also enable the Azure AD one-time passcode authentication preview. If it is not enabled then
    SharePoint will not use Azure AD B2B even if EnableAzureADB2BIntegration is set to true. Learn more at
    http://aka.ms/spo-b2b-integration.
     

If you do not enable OTP after this, the integration feature will just not work. SharePoint guest access will just keep working like it did before. There’s probably some technical reason why Microsoft has made this integration so dependant on OTP. But for those who don’t want to use OTP for some reason or other I hope that this will change in the future. Let’s see where time brings us.

Parting words

Microsoft is doing some great work here in modernizing the SharePoint guest access experience. End users as well as IT Administrators will benefit from these things greatly. The only drawback is the reliance on OTP. I hope that even tenants without OTP enabled will in the future benefit from the integration. However it is, it’s good work in the right direction.

Any thoughts, feedback or additions are welcome.

Sources


sharepoint b2b azuread
Support me by sharing this

Comments

More

More blogs

SharePoint Framework (SPFx), Authenticating to Api’s and Third Party Cookies
SharePoint Framework (SPFx), Authenticating to Api’s and Third Party Cookies

About SharePoint pages that refresh and reload when your webpart is on it, and what that has to do with Authentication and Third Party cookies.

Read more
Logging to Application Insights from Azure App Service WebJobs
Logging to Application Insights from Azure App Service WebJobs

When updating a few Azure WebJobs to a new version of the WebJobs SDK, I had to rewrite the way they logged data. This led to a few lessons learned, which I'm happy to share for anyone who is working with the same tools.

Read more
Fixing an Azure web app zip deployment issue
Fixing an Azure web app zip deployment issue

My Azure DevOps pipeline recently stopped zipdeploying to Azure App Service. This is how I fixed it.

Read more

Thanks

Thanks for reading

Thanks for reading my blog, I hope you got what you came for. Blogs of others have been super important during my work. This site is me returning the favor. If you read anything you do not understand because I failed to clarify it enough, please drop me a post using my socials or the contact form.


Warm regards,
Martin

Microsoft 365 Architect
I4-YOU Business Solutions b.v.