'One-Time Passcodes' for Azure AD B2B Hits Preview
- By Kurt Mackie
- January 29, 2019
A new feature in Microsoft's Azure Active Directory Business to Business (B2B) service enables organizations to grant outside partners access to their internal network resources.
Announced as a preview on Monday, the "one-time passcodes" feature works like this: An invitee gets an invitation containing a "Send Code" link from an organization. After the invitee clicks on that link, he or she will get a second e-mail containing a code for gaining network access, which can be used for up to 30 minutes, according to Microsoft's documentation.
Once the invitee gets authenticated, the session allowing guest access is only available to the invitee within a one-day timeframe. It's a security precaution built into the one-time passcodes feature, according to the announcement:
Each authentication session only lasts 24 hours, after which guests have to re-authenticate with a new email OTP. This means your guests have to prove they still have access to their work email inboxes and have not left the partner company every 24 hours.
Organizations can optionally add multifactor authentication requirements onto the one-time passcodes scheme, if wanted. Multifactor authentication is another scheme for verifying user identities, which typically happens via responses to a cell phone call or messaging service.
Microsoft's announcement depicted the one-time passcodes preview as permitting network resource sharing with "anyone in the world with an email account." There's one technical restriction to the scheme. Organizations must send a link that includes the organization's "tenant context" (or tenant ID) within the link, Microsoft's documentation explained.
One-time passcodes are deemed handy when Azure AD B2B invitees lack other authentication options -- such as an Azure AD account, a Microsoft account or a Google account -- to gain guest network access privileges. Microsoft has been gradually expanding the identity provider options that can be used with this service.
According to Microsoft's documentation, "when the guest user signs in, one-time passcode authentication will be the fallback method if no other authentication methods can be used."
While the one-time passcode feature is currently at the preview stage, Microsoft is planning to turn it on later for all organizations using this service.
"After preview, this feature will be turned on by default for all tenants," Microsoft's documentation bluntly stated, although no timeline was described.
Kurt Mackie is senior news producer for 1105 Media's Converge360 group.