In our last post, we have discussed on Invitation And Redemption of Guest User in detail with example. Today In this article, we will continue Azure AD Business-to-Business (B2B) And Guest User and discuss how to configure Email one-time passcode authentication.
If you have missed our previous articles on Azure Identity And Access Management (IAM), please check it in following links.
Email One-time Passcode Authentication :
In one of our previous article, we have seen Azure AD B2B allows organizations to share company applications and other services/resources with external users. Before, this external user should have one of following to initiate connection with the organization who sent the B2B invitation.
- Azure AD Account
- Microsoft Account
- Google Federation
Email one-time passcode authentication (OTP) a preview feature allow B2B users to authenticate using one time passcode, if they cant authenticate by any of the above methods. Once OTP is issued it is only valid for 30 minutes. If user didn’t use it with in 30 minutes, user need to request new OTP code for authentication.
Use Case :
In this use case, we have a requirement to invite a guest user and we have following information.
- The inviting tenant have not configured with Google federation.
- The inviting tenant has a guest user (Dholi Sutar) with a Gmail account and that is not a Microsoft account.
Lab Exercise :
With the above information, to invite a guest user, administrator needs to do one extra configuration in Azure Active Directory. In this example, we will see all activities from both Tenant and user points of view.
Step 1 – Let’s see how we can enable this new feature. Log-In to Azure Portal > Azure Active Directory > User Setting > click on Manage external collaboration settings under External Users as showing in the following figure.
Step 2 – In the External collaboration settings page, we can verify, ‘ Enable Email One-Time Passcode for guests (Preview)’ settings. If it set to ‘No’ , then the feature is not enabled yet s shown in the following figure.
Step 3 – As we saw in the above figure, the Email OTP feature needs to be configured. So lets set it to ‘Yes’ to enable the feature as shown in the following figure.
Step 4 – Now we have configure the tenant to allow Email OTP for guest user. The next step to invite the guest user. To invite a guest user let’s go to Azure AD > Users > All users as shown in the following figure.
Step 5 – As shown in he above figure, Click on ‘+ New guest user‘ to invite a guest user. This will open a New user page. where we need to provide details of guest user.
Step 6 – Once we invite the user by hitting the Invite button. The user inviting procedure is done. As shown in the following figure, We can see in the invited guest user profile properties, the Source is Invited User because the user has not accepted/redeem the invitation. We can see the Invitation URL which has sent to user in a mail to redeem the invitation. We can resend the invitation by hitting Resend invitation button if required.
Step 7 – Let’s login to the guest user’s Email account and check if user has got any invitation mail. As showing in the following figure, we can see user got has got the invitation mail and there is a Accept Invitation button to accept/ redeem the invitation. Let’s click on Accept Invitation button.
Step 8 – Once we accept the Invitation, it will conform the mail id and ask for the OTP send to the guest user’s mail box.
Step 9 – Go back to guest user’s mail box to collect OTP code to redeem the invitation. Following figure showing the format of the OTP mail with OTP code.
Step 10 – Put the OTP code and hit Sign in button to proceed with redemption, as shown in the following figure.
Step 12 – As we can see in the following figure we can see the guest user ‘Dholi Sutar‘ has redeem the invitation and in the profile we can see, the Source property is now set to OTP and Invitation accepted property is set to Yes.
I hope, this article helps you to configure Email one-time passcode authentication.
As I am exploring the Azure Identity and Access Management (IAM) in a deep level. Please let me know if I missed anything important or if my understanding is not up to mark.
Keep reading, share your thoughts, experiences. Feel free to contact us to discuss more.
Thanks for reading 🙂