(Updated) Retirement of SharePoint One-Time Passcode (SPO OTP) and transition to Microsoft Entra B2B

🚨 The Signal: SharePoint One-Time Passcode (SPO OTP) for external sharing is being retired and replaced by Microsoft Entra B2B. This standardises external access, improving governance, lifecycle management, and Conditional Access for guest users across Microsoft 365.

The Impact

External users accessing SharePoint/OneDrive are affected, with a security risk reduction due to improved identity management.

• External users: May lose access to old links if no B2B guest account exists.
• Security teams: Gain consistent Conditional Access for external users.
• Admins: Must manage B2B guest accounts for external collaboration.
• Organisations: Benefit from enhanced governance over external access.

The Action

1. Review existing external sharing policies in SharePoint Online and OneDrive.
2. Familiarise with Microsoft Entra B2B guest invitation and management processes.
3. Communicate the change to external collaborators, advising on potential re-sharing needs.
4. Monitor Entra ID sign-in logs for external users post-transition for access issues.
5. Ensure Conditional Access policies are configured to apply to B2B guest users.

Domain: Entra · Impact: high · Workload: SharePoint · Essential Eight: Multi-Factor Authentication · ISM: ISM-0109, ISM-0123, ISM-0140, ISM-0974, ISM-1173, ISM-1228, ISM-1401, ISM-1504, ISM-1505, ISM-1679, ISM-1680, ISM-1681, ISM-1682, ISM-1683, ISM-1815, ISM-1819, ISM-1872, ISM-1873, ISM-1874, ISM-1892, ISM-1893, ISM-1894, ISM-1906, ISM-1907