Donnerstag, 17. Dezember 2020

Onetime Passcode Authentication to access Microsoft 365 Group resources

Onetime passcode authentication via email is an Azure AD feature and currently still in preview. The preview function must be activated in Azure AD under User Settings -> Manage external collaboration settings:

Starting March 2021, the Onetime Passcode feature will be enabled by default for all new and existing tenants. If the feature should not be available, it must be disabled.

Users who want to use Onetime Passcode for login must login using a link that contains the Tenant context. For example: https://%tenant name%.sharepoint.com/teams/demo

Direct links to applications and resources also work if they contain the tenant context. Logging in using endpoints that do not contain the Tenant context is currently not possible. For example, using https://myapps.microsoft.com, https://portal.azure.com results in an error.

User experience for Onetime Passcode

When accessing an Office 365 resource, the user is prompted to authenticate. It does not matter whether the access is done via the browser or via an app. If an Onetime Passcode is used for authentication, the dialog looks like this:

Onetime Passcodes are valid for 30 minutes. After 30 minutes, the respective one-time passcodes is no longer valid and the user must request a new one. Sessions expire after 24 hours.

Access works for services belonging to the Microsoft 365 Group, such as SharePoint, Planner or Teams. Access to, for example, PowerBI or Microsoft Stream did not work when this article was written.

Administration / Inviting a guest user via Onetime Passcode

To enable a guest user to log in via the Onetime Passcode feature, they must be created/invited as follows. The guest user is invited in Azure AD to the Microsoft 365 group belonging to the SharePoint site or Microsoft Team with his email address:

The user will then receive the following email:


When clicking on the link in the mail, the steps described under "User experience for Onetime Passcode" will follow. It depends on the user / account whether he can log in via username & password or the Onetime Passcode option is used. The user will receive an email / Onetime Passcode if:

  • He does not have an Azure AD account.
  • He does not have a Microsoft account (Live ID)

At the time of invitation, there is no way to verify whether the user being invited will use the Onetime Passcode option or not. The option, if enabled in the tenant, is available as a fallback if no other authentication method can be used.

Whether a user will use the Onetime Passcode method can be checked in the user profile details after the first login:







Keine Kommentare:

Kommentar veröffentlichen