← Back to blog
Microsoft 365

SharePoint OTP authentication ends in July 2026: external sharing migrates to Entra B2B

By Zarioh Digital Solutions7 min read
Share
SharePoint OTP authentication ends in July 2026: external sharing migrates to Entra B2B

From July 2026, external users trying to access a SharePoint link via the old one-time passcode method will receive 'access denied'. Microsoft is retiring SharePoint OTP authentication and making Entra B2B guest accounts mandatory for external sharing. What changes, who is affected, and what should IT administrators do now?

External collaboration via SharePoint and OneDrive has worked the same way for years in many organisations: share a link, enter an email address and receive a one-time access code. No account needed, no guest invitation to process, just direct access to the document. Convenient, but behind the scenes Microsoft uses a separate SharePoint authentication mechanism that is decoupled from the Entra ID identity infrastructure. That mechanism is now being removed.

From July 2026, Microsoft begins the mandatory phase-out of SharePoint OTP authentication. Full retirement is scheduled for 31 August 2026. External users who try to access content via an old link and do not yet have an Entra B2B guest account will receive an access denied message. Without prior notification, without an automatic message to the affected user. Simply no access any more.

What is SharePoint OTP authentication and why is it being retired?

When Microsoft first introduced external sharing in SharePoint Online, they chose a lightweight model: external users do not need a Microsoft account. Instead, SharePoint verifies identity via a one-time password sent to the email address provided. This is known as SharePoint One-Time Passcode, abbreviated SPO OTP. It operated independently of Entra ID, had its own session infrastructure, and created an identity silo that is difficult to manage and secure.

The reason for retirement is architectural: Microsoft wants to consolidate all external identities under Entra ID. Entra B2B is the model in which external users are tracked as guest accounts in the receiving organisation's directory. That makes them visible in user administration, manageable through Conditional Access, auditable in sign-in logs, and manageable via Entra ID Governance. Standalone SPO OTP sessions offer none of that.

The exact timeline: what has already taken effect and what comes next?

The migration runs in three phases. Phase one started in May 2026: new external sharing invitations from that point use Entra B2B instead of the SharePoint OTP method. Organisations that had manually disabled the Entra B2B integration via the EnableAzureADB2BIntegration setting find that this setting no longer has any effect. Microsoft has effectively disconnected that switch.

Phase two runs from July 2026: external users who open older links that were previously authenticated via SPO OTP begin receiving access denied messages if they do not have a guest account in the directory. This phase is active now. IT administrators and end users who have external partners with whom they have been collaborating for some time can expect problems the moment an external user first tries to open one of those old links after the migration.

Phase three is the full retirement on 31 August 2026. After that date, SPO OTP authentication no longer exists. Entra B2B becomes the only mechanism for external access to SharePoint and OneDrive content shared with specific people.

Who is affected and when?

Not all external users are affected. The impact is specific to users who in the past gained access via the SPO OTP method and have not yet received an Entra B2B guest account in your tenant. Anyone already listed as a guest in your Entra directory can continue working normally. Anyone who has never been invited as a guest and only had access via an old OTP link loses that access.

In practice, this concerns external partners, suppliers, and customers with whom you share files via SharePoint or OneDrive using the 'specific people' option. Anyone working via an 'anyone with the link' link is not affected by this specific change. Those links work differently and are not dependent on SPO OTP authentication.

The challenge is that the transition is silent. Microsoft does not automatically notify the external user when access is revoked. The user clicks a link that worked yesterday, sees an error message about changed guest settings, and does not know what happened. Your helpdesk or the colleague involved receives the question without context. Proactive communication is therefore essential.

What changes for external users after the migration?

After the migration to Entra B2B, the authentication experience for external users is different, but not necessarily worse. Anyone with a Microsoft account signs in with that account. Anyone with a work or school account at another organisation signs in via that organisation's federated identity. Anyone without either can still authenticate via a one-time password, but now through the Entra B2B OTP mechanism rather than the old SharePoint OTP method. The difference: the session is now tracked in Entra ID as a guest identity.

For end users within your organisation who share files, the sharing itself does not change. SharePoint and OneDrive look the same, the share button works the same way. The difference is in what happens behind the scenes: the external recipient is automatically created as a guest in Entra ID when they accept the invitation.

Which steps should IT administrators take now?

Four concrete actions for the coming weeks. First: inventory external sharing activity in your organisation. In the SharePoint admin centre, under Reports and external sharing, look at which external users are active, how they authenticate, and whether they already have a guest account in Entra ID. Users who are not in Entra but regularly receive files are the risk group.

Second: communicate proactively to employees who regularly share externally. Explain in plain language that external contacts may be asked to sign in again, that the link itself is still valid but the authentication method is changing, and that they can involve IT if external contacts have questions. A short email or intranet message is sufficient.

Third: check the Entra External ID settings in the Microsoft Entra admin centre. Make sure the one-time passcode feature for guests has not been disabled. If it is disabled, external users without a Microsoft account cannot authenticate via Entra B2B OTP and will therefore have no access, even after a correct invitation.

Fourth: consider whether your organisation wants to pre-create guest accounts for the most critical external partners, rather than waiting for them to go through the invitation themselves. That reduces the chance of a disruption at an inconvenient time, for example just before a client deadline or an audit delivery.

Conditional Access and guest accounts: opportunities and risks

The migration to Entra B2B has a side effect that many IT administrators view positively: external users become visible and manageable through Conditional Access. Where SPO OTP sessions were outside the reach of Conditional Access, every guest signing in via Entra B2B can now be subject to policies: required authentication strength, device compliance, location restrictions, or session management.

This is also the moment to revisit guest policy. Who is allowed to create external guest accounts in your tenant? By default, all members can send invitations. If your organisation wants to restrict that, now is a good time to tighten the invitation settings in Entra External ID. A policy in which only specific roles, such as IT administrator or management, can create guest accounts provides more control over who has access to which company resources.

The flip side is that more guest accounts in the directory also means more management overhead. Entra ID Governance offers access reviews for this: periodic checks in which the owner of a guest account confirms that the external user still needs access. For organisations with a large number of external collaboration partners, setting up such a review cycle is a logical follow-up step to the B2B migration.

What if your organisation does not use external sharing?

If your SharePoint environment is configured with external sharing completely disabled, this change has no direct impact. The OTP retirement only applies to environments where external sharing is permitted. Check this in the SharePoint admin centre under Policies and then Sharing. If external sharing is set to 'Only people in your organisation', there is nothing to act on.

Want help inventorying your external sharing activity, configuring Conditional Access for guest accounts, or setting up access reviews via Entra ID Governance? Contact Zarioh for practical advice on your specific situation.

Z

Zarioh Digital Solutions

IT specialists from Utrecht, the Netherlands. We help businesses with Microsoft 365, AI agents, hosting and telephony — and share what we learn in practice. Follow us on LinkedIn

Related articles

← Back to all articles
Share