MC1243549: SharePoint and OneDrive Retire One-Time Passcode and Shift External Sharing to Microsoft Entra B2B

MWPRO IMPACT SCORE
OPERATIONAL IMPACT
69
0 25 50 75 100
HIGH IMPACT • REVIEW RECOMMENDED
Recommended Action:
Review the update and plan any required actions before rollout.
What is MWPro Impact Score? Watch our 60‑second explainer

Primary Audience

Microsoft 365 AdminsSharePoint AdminsTeams AdminsSecurity TeamsCompliance TeamsIT ManagersService Owners
Why this score?
AI Confidence
HIGH
Enough detail is available to trust this assessment.
Assessment Reasoning
This update reconfirms the retirement of SPO OTP and its reschedule details. Admins must review external sharing and Conditional Access settings, configure Entra B2B, assign guest inviter roles, and prepare for October enforcement. External users without guest accounts will lose access after retirement, requiring communication and possibly proactive account creation. Effort is moderate to high due to potential configuration changes, monitoring, and governance updates.
85
🛡️ Admin Impact
40
👥 User Impact
65
Urgency
70
🔧 Effort
ℹ️ WHAT YOU NEED TO KNOW
📌

AT A GLANCE

SharePoint’s email one-time passcode sign-in is being retired. External sharing will require Microsoft Entra B2B guest accounts instead.
👥

END USERS

External users without a guest account may lose access to older links after October 2026.
🛡️

IT ADMINS

Review external sharing and guest access settings, enable guest invitations, and inform users about possible access issues from October.
📅

ROLLOUT TIMELINE

Upcoming:
October 2026

📢 Official Microsoft Message Center Announcement


(Updated) Retirement of SharePoint One-Time Passcode (SPO OTP) and transition to Microsoft Entra B2B
Message ID: MC1243549 (Updated)

Updated June 17, 2026: Phase 1, which enables Entra B2B for new external sharing, is now fully rolled out for Production environments. To ensure a smooth transition, Phase 2, the retirement of SharePoint Online OTP, has been rescheduled to begin on October 1 and is expected to complete by October 31 for Production environments.


Both Phase 1 and Phase 2 roll outs exclude GCC, GCCH & DoD. New dates for these environments will be communicated via Message center when we are ready to proceed. Thank you for your patience.

[Introduction]

We are retiring SharePoint One‑Time Passcode (SPO OTP) authentication in OneDrive and SharePoint starting October 2026. Beginning in May 2026, new external sharing invitations and authentication will start using Microsoft Entra B2B instead of SPO OTP. This transition simplifies external collaboration, aligns authentication with Microsoft identity standards, and enables consistent guest lifecycle management, governance, and Conditional Access coverage across Microsoft 365.

[When this will happen]

  1. May & June 2026: Invitation and authentication for new external sharing transitions to Microsoft Entra B2B. Users who previously authenticated via SPO OTP will continue to have access to specific people links even without a B2B guest account yet.
  2. October 2026: Retirement of SPO OTP authentication begins. External users without a guest account get access denied on previously shared specific people links. To restore access, a guest account must be created in Entra B2B, or an allowed user must share/re-share at least one file/folder/site.
  3. Retirement is expected to complete by October 31, 2026.

[How this affects your organization]

Who is affected

  1. All Microsoft 365 tenants (commercial, government, sovereign).
  2. All external users who access OneDrive or SharePoint files, folders, or sites.

What will happen

  1. The EnableAzureADB2BIntegration setting will no longer control external sharing behavior beginning May 2026.
  2. SPO OTP authentication will retire beginning October 2026.
  3. The option to disable Entra B2B integration will be removed.

Impact on external users

  1. External users who already have an Entra B2B guest account in your directory:
  2. No change in behavior.
  3. External users without a B2B guest account:
  4. Specific people links shared after changes rolled out to your tenant: A guest account will be automatically created via the Entra B2B Invitation Manager and authentication will use Entra B2B. The email one-time passcode feature is now turned on by default for all new tenants and for any existing tenants where you haven’t explicitly turned it off. Please refer to this article to learn more.
  5. Specific people links shared before changes rolled out to your tenant: SPO OTP authentication continues until October 2026. After October 2026, these users will receive access denied until a matching B2B guest account exists.

Restoring access after retirement

  1. Admins can manually create a guest account for the external user at any time. Alternatively, an internal user with permissions needs to share or re-share at least one file, folder, or site, which will automatically create the guest account and restore access to all previously shared content.

[What you need to do to prepare]

To ensure a smooth transition:

  1. Review external sharing policies and conditional access settings for guests in SharePoint and Entra admin centers.
  2. Ensure that Microsoft Entra is configured to allow guest invitations for the appropriate users. For example, assign the Guest Inviter role to users who need external sharing or are responsible for creating guest accounts.
  3. Inform users that, beginning in October 2026, some external collaborators may see an access denied message when opening older links that were previously authenticated with SharePoint Online OTP. This can occur if a matching B2B guest account was not created for the email address used with the original sharing link.
  4. To restore access, users can share or reshare at least one file with the external collaborator. This creates the required B2B guest account, after which the collaborator can continue accessing previously shared links.
  5. If your organization relies on email OTP authentication via Entra, ensure it is not disabled in Entra External ID settings. See Email OTP for B2B guests.
  6. Optionally, identify external collaborators without guest accounts via external sharing reports. Proactively create guest accounts to retain access.
  7. Update internal documentation.

Learn more:

  1. Add and manage B2B collaboration users in the Microsoft Entra admin center | External ID | Microsoft Entra | Microsoft Learn
  2. Email one-time passcode authentication for B2B guest users | External ID | Microsoft Entra | Microsoft Learn
  3. Frequently Asked Questions: Improvements to external sharing in OneDrive & SharePoint | SharePoint in Microsoft 365 | Microsoft Learn
  4. Overview: B2B collaboration with external guests for your workforce | External ID | Microsoft Entra | Microsoft Learn
  5. Quickstart: Add a guest user and send an invitation | External ID | Microsoft Entra | Microsoft Learn
  6. SharePoint and OneDrive integration with Microsoft Entra B2B | SharePoint in Microsoft 365 | Microsoft Learn
  7. Configure external collaboration – Microsoft Entra External ID | Microsoft Learn

[Compliance considerations]

Compliance QuestionAnswer
Does the change alter how existing customer data is accessed, processed, or stored?Yes. This change retires SPO OTP authentication and requires all external users to authenticate using Microsoft Entra B2B guest accounts, which alters the authentication method used to access existing SharePoint and OneDrive content.
Does the change modify Conditional Access policies or enforcement?Yes. After retirement, all external users will authenticate through Entra B2B and become fully subject to Microsoft Entra Conditional Access, Identity Protection, and guest governance policies.
Does the change provide a new way of communicating between users, tenants, or subscriptions?Yes. External sharing invitations will be routed through Microsoft Entra B2B Invitation Manager instead of SharePoint’s OTP invitation flow.
Does the change alter how admins monitor, report on, or demonstrate compliance activities?Yes. Authentication events and guest lifecycle actions will be logged through Entra audit logs rather than SPO OTP logs, changing where admins review authentication and guest access activity.

Source: Microsoft Message Center • Analysed by MWPro

<<< [MC1243549] Archive
Tooltip: View earlier revisions of this post

Latest Posts

Pass It On
Leave a Comment

Comments

No comments yet. Why don’t you start the discussion?

Leave a Reply