SharePoint Online Dumps OTP Authentication for Sharing Links

Posted on by Tony Redmond

Change Applies on July 1 to Tenants that Integrated SharePoint with Entra ID B2B Collaboration

The announcement in message center notification MC1089315 (6 June 2025) that Microsoft is dumping the old one-time passcode (OTP) authentication mechanism for SharePoint Online and OneDrive for Business sharing is unexpected, but only because it took Microsoft so long to make the change.

Inputting a one-time passcode to access a shared file. Entra ID B2B Collaboration
Figure 1: Inputting a one-time passcode to access a shared file

After July 1, 2025, external users who have received a sharing link from a user in a tenant that uses OTP authentication will discover that they have lost access to the shared content (files, folders, or sites). Microsoft says that they’re making the change to “enhance security.” I think this is correct, and the change delivers an additional benefit to Microsoft because it gets rid of an old feature.

A History of One-time Passcodes in SharePoint Online

OTP-based sharing links (aka, the “Secure external sharing recipient experience”) predates the support of Entra ID B2B Collaboration (guest accounts) within SharePoint Online. That support arrived as a result of guest access to Office 365 groups (now Microsoft 365 groups) in September 2016. Guest accounts took a while to catch on, and Office 365 groups only became really popular after the advent of Teams in early 2017. Indeed, Teams didn’t surpass 20 million active users in November 2019 before massive growth occurred in Teams usage during the Covid-19 pandemic.

Although Teams growth propelled similar growth in groups and SharePoint usage, there was no great push to move tenants off OTP authentication to SharePoint and OneDrive integration with Azure AD (now Entra ID). External sharing worked, so why bother?

Microsoft began the process to get off OTP by integrating OTP with Entra ID B2B Collaboration in October 2021. Essentially, the change ensured that external users who received OTP sharing links had guest accounts created for them in the tenant directory. The next step made sure that new tenants created after March 31, 2023, could only use B2B collaboration.

The plan now revealed “only impacts organizations that have already enabled or plan to enable SharePoint and OneDrive integration with Microsoft Entra B2B.” In other words, nothing changes for tenants that did not link SharePoint Online and OneDrive for Business to Entra ID B2B Collaboration. I wonder what proportion of the SharePoint community still use one-time passcodes exclusively for sharing.

The Result of the Change

MC1089315 rates this change to be “highly relevant.” In other words, it will affect how users work because:

  • After July 1, all new sharing links generated for external people will use Entra ID B2B Collaboration and the sharees will receive email containing the sharing link generated by the Entra ID Invitation Manager service. This shouldn’t cause too much upheaval because the process is reasonably painless. I use it all the time to share documents with several other Microsoft 365 tenants and haven’t had any issues with sharing links that I can remember.
  • After July 1, all previously issued sharing links based on one-time passcodes generated by SharePoint Online and OneDrive for Business will stop working. Obviously, this aspect of the change could cause confusion when a link sent to users doesn’t work. July 1 is a Tuesday, and it’s entirely possible that many sharing links with one-time passcodes arrive in user mailboxes on Monday, June 30. If the recipients action the links immediately, they can access the shared content. If they delay, the links stop working. It’s as simple as that.

Microsoft says that users will be told “Sorry, something went wrong. This organization has updated its guest access settings. To access this item, please contact the person who shared it with you and ask them to reshare it with you.” What’s gone wrong is that Microsoft decommissioned one-time passcodes. However, the statement is accurate that the only way to resume access to the shared content is to receive a new sharing link generated based on B2B collaboration. The potential for impact on users and the knock-on effect on help desks is clear.

MC1089315 notes that users will be required to complete multi-factor authentication (MFA) registration as part of the Entra ID B2B onboarding process. That’s strictly only true if the tenant that hosts the content requires MFA, most likely with a conditional access policy to block access unless an MFA challenge is satisfied. Even if your tenant doesn’t use MFA today (which it should), it is the hosting tenant that gets to choose whether MFA is required.

A Good Change

I bet this change will cause confusion and some upheaval in the weeks after July 1. After that, everything should calm down as the old OTP-based sharing links work their way out of the system. It’s good to have consistency and security and having one method to secure sharing links seems like a good change to make. At least, it is in my book.

So much change, all the time. It’s a challenge to stay abreast of all the updates Microsoft makes across the Microsoft 365 ecosystem. Subscribe to the Office 365 for IT Pros eBook to receive monthly insights into what happens, why it happens, and what new features and capabilities mean for your tenant.

19 Replies to “SharePoint Online Dumps OTP Authentication for Sharing Links”

  1. Almost had a heart attack reading your post, but thankfully “This change only impacts organizations that have already enabled or plan to enable SharePoint and OneDrive integration with Microsoft Entra B2B.” which is not my case 🥵

    Reply

    1. This makes me think that Microsoft will someday force all tenants to move to Entra ID B2B for Sharepoint and OneDrive sharing… Thus forcing tenants to allow users to invite Entra ID guests whenever they want to share some OneDrive file ?
      That’s actually annoying for my org. We disabled anonymous OneDrive sharing (thus making the email OTP mandatory), and disabled the ability of any user to create guests users (we have a custom process in Coreview for that, that user have to request separately, when they want to invite some external user to a specific team or Sharepoint site). I guess if we want to move Sharepoint Online external access to Entra ID B2B we’ll have to allow all users to invite guests (at least for OneDrive sharing) ? Then they’ll be able to invite anybody in their teams, without using our custom process, right ?

      Reply

      1. I don’t think so… It’s easy to test, but there’s something in the back of my mind that says that SharePoint and OneDrive use a different process to the one where Teams invites users.

  2. Pingback: SharePoint Online Dumps OTP Authentication for Sharing Links – blog by Tony Redmond – 365ForAll

  3. I think you’ve misunderstood this change – Microsoft is not dumping the old process at all. This change is only for tenants who have enabled the B2B OTP setting (Set-SPOTenant -EnableAzureADB2BIntegration $true) or will do in the future.

    The change is that once a tenant optionally enables SharePoint/OneDrive B2B OTP integration, all previous SharePoint OTP links will immediately stop working.

    If a tenant does not enable the integration, then nothing changes, and the old SharePoint OTP method will still work.

    Reply

    1. Well, I might be taking a certain liberty with the title to drive awareness of an important change that is being implemented in 3 weeks time, but I’ll take that on the chin.

      The text clearly says that the change only applies to tenants that have implemented the B2B integration with SPO. I just wonder how many tenants use “pure” OTP…

      Reply

    2. Would anybody happen to know how to check if a tenant has enabled SPO/OD B2B OTP integration? I honestly haven’t the slightest idea whether my two tenants have this enabled or not, and while I’ve found the cmdlet to enable/disable it, can’t seem to figure out how to determine whether or not it’s enabled in the first place.

      Reply

      1. Hi Joseph,

        You can check with the “Get” version of the Cmdlet that allows you do enable/disable the feature.

        PS> Get-SPOTenant | Select-Object EnableAzureADB2BIntegration
        EnableAzureADB2BIntegration
        —————————
        False

      3. Thank you both! I was on the right track but somehow managed to fat-finger it.

  4. Regarding my previous question, here’s what I found in Microsoft’s documentation :
    Advantages of Microsoft Entra B2B include: […] SharePoint and OneDrive sharing is subject to the Microsoft Entra organizational relationships settings, such as Members can invite and Guests can invite. […]
    Source : https://learn.microsoft.com/en-gb/sharepoint/sharepoint-azureb2b-integration

    I guess that’s the tenant wide “Guest invite settings”, and that would be problematic in the scenario I described (forced to allow anyone to invite guests, including in Teams, to allow external (but not anonymous) sharing in OneDrive), but it’s not very clear…

    Reply

      1. Sadly first one is not an option (many guests with hotmail or Gmail email adresses, also nominative OneDrive external file sharing could/should be less restricted than guest access in my opinion), neither is last one (currently my org does not have the required license for all its users + we’re not at that stage of deployment (currently deploying Teams teams, yet we could discuss which one’s the prerequisite for the other one 😅)).
        But second one is an interesting path, I’ll check that, tank you very much for your post and answers ! 🙂

  5. Hello Tomi

    few more details, hope these assumptions are correct what we found, can you please confirm?

    in case organizations use Azure B2B invitation manager (tenant SharePoint admin sharing settings – existing guests only) then these links are not impacted

    only links which are created by SharePoint / ONB via old b2b invitation manger is impacted (tenant sharing settings – New and Existing guests)..

    Reply

    1. Entra ID integration with SharePoint Online and OneDrive for Busines operates OTP for sharees that don’t have an existing guest account “Authentication happens via one-time passcode when they don’t already have a work or school account or a Microsoft account.” : https://learn.microsoft.com/en-us/sharepoint/sharepoint-azureb2b-integration. “Azure B2B Invitation Manager one-time passcode feature allows users who don’t have existing Work or School accounts or Microsoft Accounts to not have to create accounts to authenticate, but can instead use the one time passcode to verify their identity.”

      If a file is shared with a guest account that’s able to authenticate, then OTP isn’t used and the links aren’t affected. If you’re using guest accounts to share files etc. with other Microsoft 365 tenant accounts, they aren’t affected.

      Reply

  6. The MC1089315 has been updated on 13th and there’ no mention of OTP anymore? It just say “Your external users will lose access to all the files, folders and sites shared before enabling this integration.” What happened to automatic conversion of guests/shares, which was previously mentioned in the learn doc, but now not mentioned at all (doc updated on 13th as well).
    https://learn.microsoft.com/en-us/sharepoint/sharepoint-azureb2b-integration

    Reply

    2. Reading MC1089315 (revised version), it seems like they have broadened the description so that ALL sharing links created prior to enabling B2B collaboration for SharePoint Online are invalidated. That’s the way I read the text.

      Reply

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.