Managing external business-to-business (B2B) identities can be very problematic for organizations as it requires them to keep track of guest accounts. Microsoft is working to solve this problem by expanding its Azure AD External Identities solution by announcing the general availability of email-based one-time passcodes for better B2B collaboration.
Referring to it as email OTP, Microsoft states that this bring-your-own-identity (BYOI) solution is preferable where end-users cannot be authenticated through other methods like Azure AD, Microsoft Account, or federation from Google accounts. Access to resources can simply be shared as an invite via email or via a direct link. Invited user then use a one-time password (OTP) that is sent to their email account to access the particular resource. This OTP is valid for 24 hours, with a new code generated and sent to the email ID on each subsequent sign in.
End-users who sign in via email OTP are treated like standard B2B guest accounts by Azure AD, which means that they are subject to regular security policies set up by the business. Microsoft also stated that:
At the time of invitation, there's no indication that the user you're inviting will use one-time passcode authentication. But when the guest user signs in, one-time passcode authentication will be the fallback method if no other authentication methods can be used.
You can see whether a guest user authenticates using one-time passcodes by viewing the Source property in the user's details.
Microsoft has highlighted that from March 2021, email OTP will be enabled for all existing and new tenants, but businesses will have the option to turn it off. However, organizations which opted for the public preview of email OTP will be provided a toggle to enable or disable the feature. Lastly, email OTP is also being made available to Microsoft Teams preview mode.