Securing SharePoint Online guest users with the Azure AD B2B experience

A warm welcome to my next blog, which is all about the differences between SharePoint Online B2B Guest users and Azure AD B2B guests users! But before we continue: A happy new year, let’s hope 2022 brings us joy, health and lots of new great Azure Active Directory features (which I can use to blog about 🙂 ).

Lots of organizations these days are using Microsoft Teams today to work and collaborate, it works great and can easily be secured with Conditional Access and other Security tools offered from the Microsoft cloud. But what to do if you want to collaborate on a single document or folder which are stored on SharePoint Online or OneDrive for Business? Your first response would be I guess: “Easy, simply share it via SharePoint Online or OneDrive for Business, it will by default create a guest account in the Azure AD!”.

Well unfortunately, that’s today not the case by default. Of course, the document will be shared, however a guest account won’t be created, you will by default get a SharePoint Online guest account, which isn’t a Azure AD B2B account! So, the actual action of sharing the document did complete successfully and the person who you’ve shared the document with can access the document or folder. However, when looking at security the SharePoint B2B Guest account which is used, will never go through Conditional Access. This as you have created a SharePoint B2B Guest account and not an Azure AD B2B account.

Having said that, there is luckily an answer to the above problem and that is simply enabling the Azure AD B2B Integration within SharePoint Online together with the Azure AD one-time passcode functionality. The combination of these two functionalities is a hard requirement and will make sure that instead of SharePoint Online Guests Azure AD B2B accounts will be created. The security result: All users which, from that point forward, will be invited will get an Azure AD B2B Guest account and therefore hit your configured Conditional Access Policies for guest accounts (and eventually you can target these accounts with other security features, like an Access Review of which I’ve written several blogs already).

Now we know the above, let’s have a look at the below scenarios in which we are going to describe:

  • What the experience is when we didn’t enable the Azure AD B2B Integration policy.
  • How we can enable the Azure AD B2B Integration within SharePoint Online and enable one-time passcodes.
  • What the experience is when we enabled the Azure AD B2B Integration and what happens with the existing access.

Let’s start!


SharePoint Online experience without Azure AD B2B Integration

As explained earlier by default SharePoint Online makes use of its own SharePoint B2B Guests. With that experience enabled the behaviour is as follows.

The end users shares a document or folder via SharePoint Online, provides permissions and fills in the email address of the desired ‘SharePoint B2B Guest’ user who should have access and hits ‘Send’.

Once send the ‘SharePoint B2B Guest’ user receives an email on the provided email address to go to the document ‘Progress Meeting’ in this example. He or she can click on the document to open it in Word Online.

The following interface is then provided in a browser, whereby the ‘SharePoint B2B Guest’ user can hit ‘Send Code’ to use the one-time passcode functionality.

The verification code is sent over to the same email address which was used to share the document with. Important to know is that you aren’t using multi-factor authentication here (as email is simply a single factor here). Once you put in the one-time passcode which is received by email and hit ‘verify’, the Word document will be opened in Word Online.

This can be seen in the image below.

If we now check the Azure Active Directory, we can see that no guest user has been created for this user, as explained earlier the above process results in a ‘SharePoint B2B Guest’ user instead of an Azure AD B2B guest user.

As these ‘SharePoint B2B Guest’ users bypass all Azure Active Directory policies, whereby you can think off Conditional Access which enforces multi-factor authentication or Access Reviews which challenges users to review access, the security level of these ‘SharePoint B2B Guest’ users is quite low. The Image below is an example print screen from the Conditional Access configuration, which says when selecting ‘All guests and external users’ it only applies for ‘Azure AD B2B guests and NOT SharePoint B2B Guests’.

Now let’s have a look on how we can improve this to make sure that once users are invited from SharePoint Online or OneDrive for Business an Azure AD B2B guest users is created.


Enabling Azure AD B2B Integration and one-time passcodes

Now to make sure that SharePoint Online is ‘respecting’ the Azure Active Directory B2B configuration we need to review two settings. The first setting is the Azure AD B2B Integration which can be enabled from SharePoint online.

This can easily be done via PowerShell by installing the SharePoint Online module, connecting to the SharePoint Online environment and changing the settings. However, let’s first check the current configuration, this can be done with the three PowerShell commands below:

Install-Module -Name Microsoft.Online.SharePoint.PowerShell -Force
Connect-SPOService -Url https://tenantname-admin.sharepoint.com
Get-SPOTenant | Select *B2B*

NOTE: To install the module please make sure to run the command in an elevated PowerShell session and please make sure to change the ‘tenantname’ within the URL to your actual tenantname.

As we can see the ‘EnableAzureADB2BIntegration’ setting is set to ‘False’, which means SharePoint Online will not look at the Azure AD B2B configuration which is in place. Now to enable this setting, in the same PowerShell session we just used to check the setting, run the following PowerShell commands:

Set-SPOTenant -EnableAzureADB2BIntegration $true
Get-SPOTenant | Select *B2B*

As you can see the setting has now been enabled, and refers to a warning which says:

WARNING: Make sure to also enable the Azure AD one-time passcode authentication. If it is not enabled then SharePoint will not use Azure AD B2B even if EnableAzureADB2BIntegration is set to true.

This does mean we need to verify in Azure Active Directory if the one-time passcode functionality is enabled if not, that will indicate that the behavior stays as is and therefore, we won’t get Azure AD B2B guest users but still SharePoint B2B Guest users.

To check this setting go to the Azure Active Directory blade, hit External Identities and select ‘All Identity Providers’. As you can see by default Azure Active Directory supports the use of guest accounts for other Azure Active Directories and (Personal) Microsoft Accounts. You are however able to add others, like integration with Google or Facebook, this whereby these accounts won’t use the one-time passcode functionality as these are trusted and ‘federated’ against their own Identity Provider.

As in this example we aren’t using neither of these we hit the ‘Email one-time passcode’ functionality.

Within the configuration of the Email one-time passcode for guests make sure the switch is set to ‘Yes’, which indicates this functionality is enabled.

NOTE: This functionality will be enabled by default in the (near) future by Microsoft (unless you did choose differently). It was already scheduled previously for October 2021 and had been delayed.

Now we have enabled this functionality, let’s have a look in what has changed when looking at it from a user perspective as well as an administrative perspective.


SharePoint Online experience with Azure AD B2B Integration

Now we have enabled the Azure AD B2B Integration within SharePoint Online and made sure the one-time passcode functionality is enabled as well, let’s share the progress meeting Word document again. Therefore again, provide the required permissions, type in the email address with an invite text and hit ‘Send’.

SPECIAL NOTE: In this example I’ve used a different email address as before, this as the previous email address is a personal Microsoft Account which was prompting me for my password (instead of the one-time passcode). We therefore already have proven that SharePoint Online is respecting the Azure AD B2B policy (which is amazing of course), however for the explanation of this blog I also wanted to show you what the experience is when using a user which hits the one-time passcode functionality.

The user, which the document is shared with, again receives the same email format and is able to hit ‘Open’.

Once the webpage opens, we can however see a difference, instead of the previous button ‘Send code’ this has now been replaced by the button ‘Next’. Therefore, please hit ‘Next’.

The email address is automatically filled and refers to the email address which was used to share the document with. What we also can see here is that we are looking at the Azure Active Directory login page and not the SharePoint Online login page, which tells us as well that the B2B integration has been enabled. To continue again please hit ‘Next’. An email will now be sent over to the same email address which was used to share the document with (which is the one-time passcode feature).

NOTE: Please check your Junk Folder if you haven’t received the email.

Type in the one-time passcode which you have received by email and now hit ‘Sign in’.

The Azure Active Directory is now asking you to ‘consent’ permissions so that it’s able to sign you in and to retrieve your Name, Email Address and Photo. This will be used to create the Azure AD B2B guest account, therefore hit ‘Accept’.

NOTE: If you don’t hit Accept and click ‘Cancel’ you simply won’t get access to the data which has been shared with you.

Until here everything is still based on a single factor as you may have noticed, but now an Azure AD B2B guest user is created within your Azure Active Directory. This can be seen below, whereby each user which is provisioned via this method has ‘Mail’ mentioned as an Identity Issuer.

Now if you did configure an Azure Active Directory Conditional Access Policies for your guest users, which i.e. enforces Azure Multi Factor Authentication, the user gets prompted to enroll for Azure Multi-Factor Authentication for his Guest account as you can see below.

NOTE: I would strongly recommend, if you haven’t already, to implement a conditional access rule which enforces multi-factor for your guest accounts. It doesn’t make any sense to enable it for your own users but not for your guests! Keep in mind as well here that you don’t even know if the source tenant has applied multi-factor authentication, making it a big security risk!

Once the guest user has enrolled Multi-Factor Authentication, the user is able to open the ‘Progress Meeting’ Word document with the Azure AD B2B guest account. This whereby all policies in Azure Active Directory for guest are applied and in use. This by logging on with your username and one-time passcode (first factor) and performing Multi Factor Authentication (second factor).

This has now proven that our Azure AD B2B Integration from SharePoint online has been enabled successfully. But what about the existing SharePoint B2B guest users? And does this have impact on my existing B2B Guest users? Or maybe you have other question which do cross your mind now? To help you out a bit, I’ve summarized those which I’ve heard recently below:

What happens to my existing SharePoint B2B Guest users?

After the next sign in instead of using the SharePoint Online one-time passcode functionality these users will be using the Azure Active Directory B2B one-time passcode functionality. This means users are only ‘converted’ to an Azure AD B2B guest user after a successful sign in, so the action is user triggered (This implies as well that documents or folders which have been shared don’t need to be shared again). This can result in extra security measurements for these end users like being enforced with MFA via Conditional Access or being challenged with an Access Review in time.

Is there any impact for already existing Azure AD B2B Guests users, like Microsoft Accounts or others?

No, by enabling the Azure AD B2B Integration from SharePoint Online you enabled this for SharePoint Online and OneDrive for Business only. This will only make sure that instead of SharePoint B2B Guest accounts the Microsoft Accounts and Azure Active Directory accounts of these particular users are used to sign-in and open the document.

Will my Azure AD B2B guest or Microsoft guest Account use the one-time passcode functionality as well?

No, these identities will use their own External Identity Provider. This as these are configured within the External Identities blade, under All Identity Providers. Only if an Identity Provider isn’t listed here the one-time passcode functionality is used.

Can I add other Identity Providers as well?

Yes, from the External Identity Provider screen you can add others like Facebook, Google, Google Workspace, etc. This however isn’t configured by default and needs to be enabled by an Administrator.

Does this have impact licensing?

The answer is simple, it depends. If you haven’t enabled the ‘Linked subscriptions’ feature under the External Identities blade you are looking at a 1:5 ratio (i.e. 1 Azure AD Premium license allows you to have 5 guests which are using that functionality). If you have enabled the ‘Linked Subscriptions’ feature, the first 50.000 monthly active guest users are free, if you go above these will be billed based on your linked Azure Subscription.

Can we enforce Azure AD B2B Sign-in only and block one-time passcodes?

No, by disabling the one-time passcode functionality in Azure AD, SharePoint online won’t respect the Azure AD B2B policy. Therefore, it will fall back on its own one-time passcode behavior, which results in a SharePoint Online B2B Guest user. You can however decide to block external sharing within SharePoint Online / OneDrive for Business, that will prevent Azure AD B2B & SharePoint Online B2B Guest users at all, resulting in no one-time passcode. That can however have drastic impact on your business.


Conclusion

By enabling the Azure AD B2B integration within SharePoint Online in combination with the one-time passcode feature the security of your environment can drastically be improved. This as you can apply Conditional Access for these users, which can enable features like the use of Multi-Factor Authentication, App Enforced Restrictions, Conditional Access App Control, etc. Besides you can target these Guest users with an Access Review if you own Azure AD Premium P2 licenses, which can help you to get these guests accounts in control!

I would therefore strongly recommend you enabling the Azure AD B2B Integration from SharePoint Online B2B in combination with the Azure Active Directory one-time passcode feature as soon as possible, and if required add additional Identity Providers as well (like Google). Bear in mind that this maybe does require some communication up front to your end users, this as current (or new) SharePoint Online B2B guest users will get a slightly different experience (with multi-factor authentication if enabled). And as these guest users can’t contact their own IT department for questions, they will probably go to your end users.

I again hope you enjoyed reading my blog about this feature and the benefits it can bring to you. Stay tuned for some more (new) great Identity features in the future!

Related blogs:

One thought on “Securing SharePoint Online guest users with the Azure AD B2B experience

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s