Azure Guest Invitation – Why User is showing OTP Type

OTP Issue:

User will be marked as OTP Type if Microsoft is not able to determine if user can do authentication via Azure AD, Microsoft Account etc. There have been few scenarios when this has happened when user can do auth but Microsoft still marks them otp type.

There is no any way to covert the type of user, only workaround is to send the invitation again and see if they get prompted to create a Microsoft account etc.

There is an recommendation to enable Google Federation for @gmail.com user (this is one time for any gmail user) as well as Direct federation for users with g suite business accounts (this would have to be done for each new g suite domains),  should be enabled, so that Gmail users can use their own credentials for login and they will not fall back to OTP etc.

• This does not fix the problem for existing users; they would have to be re-invited.

Also, there is a possibility that one-time passcode preview feature was previously opted and later disabled.

This is the flow diagram to understand the guest invitation process.

Guest Invitation Issue

Guest account invitation process differs for Azure AD and SharePoint, SharePoint creates account post acceptance but Azure AD creates account first and then enables it once invitation is accepted.

This is the reason recommendation is to invite user through Azure Active Directory.

For the issues with existing user:

• Delete the guest user from portal.azure.com and then from the delete users also.
• Verify if that user shows up in sharepoint and remove using Remove-SPOExternalUser, cross check that user is gone from sharepoint.
• Now invite the users from Azure Active Directory, once user accepts invitation. Provide permission to the sharepoint sites.

• https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/users-default-permissions

Microsoft 365 external sharing and Azure Active Directory (Azure AD) B2B collaboration

https://docs.microsoft.com/en-us/azure/active-directory/external-identities/o365-external-user

Also, if you continue to receive the error, you can do these :

• Delete user

Why user is showing as a OTP Type?

Type of user is determined when a guest user redeems an invitation, they will receive a one-time passcode if, also if Microsoft isn’t able to determine the correct type, they will force it to OTP users.

Add Google as an identity provider for B2B guest users

https://docs.microsoft.com/en-us/azure/active-directory/external-identities/google-federation

I’m not sure how important OTP will be for Office 365. Obviously, Office 365 has a set of applications which support external access that need to be updated for OTP, but when access is considered for someone outside the company, those controlling the resources might prefer to use another authentication method. We’ll see in time. Meantime, if you do use OTP and need to switch a guest to another authentication method, remember that this is only possible by removing the guest account and reissuing an invitation.