Starting July 2026, external users who access OneDrive and SharePoint files through legacy SPO OTP links will start receiving access denied — silently, with no automatic notification to them or to you.
If your organization shares files and folders externally at any volume, some of those external collaborators are on links that will stop working. Vendors, clients, auditors, external partners — anyone who accessed your SharePoint Online or OneDrive for Business content through a temporary email code without a Microsoft account is at risk.
Microsoft announced this transition in Microsoft 365 Message Center notification MC1243549: SharePoint One-Time Passcode (SPO OTP) authentication is being retired, and all external sharing is moving to Microsoft Entra B2B. This post covers what is actually changing, who loses access in July, what you need to do before that deadline, and the longer-term guest governance problem this transition creates.
Important clarification before we go further: Email one-time passcode authentication is NOT being retired. Microsoft Entra B2B uses email OTP as its default authentication method for guests who have no Microsoft account or Google federation identity. What is retiring is SharePoint’s own standalone OTP mechanism — the one that let external users access content without any Entra identity at all. These are two different systems. |
What Is Actually Changing
Under the legacy SPO OTP model, when an internal user shared a file or folder with an external email address, SharePoint sent the recipient a temporary email code. The recipient entered that code, got access, and left no trace in your Microsoft Entra ID directory. No guest account was created. No Conditional Access applied. No multifactor authentication was enforced. These users were invisible to your identity governance.
Under Microsoft Entra B2B, that changes entirely. External sharing invitations now route through the Microsoft Entra B2B Invitation Manager instead of SharePoint’s OTP flow. When an internal user shares a file or folder with an external email address, a guest account (userType = Guest) is automatically created in your Microsoft 365 tenant directory. The external user authenticates using their existing work or school account, a guest Microsoft account, Google federation, or — if none of those apply — email OTP via Entra B2B.
The result: every external collaborator now has a directory identity in your tenant, is subject to your Conditional Access policies, and produces a sign-in record in your Microsoft Entra ID audit logs. For compliance — SOC 2, ISO 27001, HIPAA, NIS2 — this closes a real governance blind spot that SPO OTP left open for years.
The retirement timeline per MC1243549:
- May–June 2026: new external sharing invitations switch to Microsoft Entra B2B automatically
- July 2026: SPO OTP retirement begins — legacy OTP-authenticated links start returning access denied for users without a B2B guest account
- August 31, 2026: full retirement completes across all commercial, government, and sovereign Microsoft 365 tenants
- The EnableAzureADB2BIntegration tenant setting no longer controls external sharing behavior from May 2026 — the option to disable Entra B2B integration is being removed
Anonymous links are not affected: SPO OTP retirement and the move to Entra B2B does not impact ‘Anyone’ or anonymous links. Expiring anonymous link behavior remains unchanged. However, anonymous links apply no Entra policies and are not recommended for governed external collaboration. |
Who Gets Locked Out in July 2026
Not every external user is affected. The impact depends on when the share was created and whether the external user already has a B2B guest account in your directory.
- Already has a B2B guest account: no change. Existing B2B guests keep access to all previously shared content without any action required.
- Shared after your tenant rolled over to Entra B2B (May–June 2026): guest account was auto-created via the Entra Invitation Manager at share time. These users are fine.
- Shared before rollout, no B2B guest account: SPO OTP authentication continues until July 2026. After July, access denied — until an admin manually creates a B2B guest account or an internal user re-shares at least one file, folder, or site to trigger auto-provisioning.
That third category is where the business risk sits. Any external party who received a SharePoint or OneDrive sharing link before your tenant switched over and who has never authenticated through Entra B2B — vendors mid-project, clients reviewing documents, auditors with active access to compliance files, long-term partners — will lose access without warning.
How to identify who is at risk
Run these before July:
- External sharing report: in the SharePoint admin center, filter for guests using the IsEmailAuthenticationGuestUser property to identify SPO OTP users without B2B guest accounts
- Microsoft Purview audit logs query: search for EmailAuthOTPAuthenticationSucceeded over the past 180 days to find external users still actively authenticating via SPO OTP
- PowerShell: Get-MgUser -Filter “userType eq ‘Guest'” to enumerate current B2B guest accounts and cross-reference against SharePoint sharing reports
- Microsoft 365 admin center: external sharing policies and guest access settings show current tenant configuration
How to restore or preserve access
- Option 1 (recommended): proactively create Entra B2B guest accounts for active OTP users before July. This avoids the access denied window entirely.
- Option 2: have an internal user share or re-share at least one file, folder, or site to the external user’s email — this auto-triggers guest account creation via the Entra B2B Invitation Manager and restores access to all previously shared content.
The Governance Problem That Starts After August 31
The SPO OTP retirement closes the identity governance gap. It also opens a new one.
From August 31 onward, every external file or folder share automatically creates a permanent Entra B2B guest account in your Microsoft 365 tenant. For organizations that share externally at volume, guest accounts accumulate fast. Microsoft’s own deployment documentation acknowledges this directly: external user accounts created in the tenant become stale over time when those users stop needing access. Research across large tenants puts guest counts at 2–4 times the number of internal employees in organizations with active external collaboration.
The question is not whether guest sprawl happens. It is whether you have a process to manage it.
What Microsoft provides natively — and what it costs
Conditional Access and multifactor authentication now apply to all B2B guests automatically — that part is included at E3. The lifecycle management tools are a different story:
Capability | E3 (Entra P1) | E5 (Entra P2) | Entra ID Governance |
Conditional Access | Yes | Yes | Yes |
Entra ID access reviews | No | Yes | Yes |
Lifecycle Workflows | No | No | Yes |
Inactive guest report | No | No | Yes |
Approval workflows for guests | No | Partial | Yes |
NDA/compliance doc signing | No | No | No |
E3 organizations get Conditional Access but no Entra ID access reviews, no Lifecycle Workflows, and no inactive guest automation. Full automated lifecycle management requires Entra ID P2 (included in E5) for access reviews, or the separate Entra ID Governance add-on for complete automation including inactivity-based removal. Microsoft does not natively provide structured invitation workflows with compliance document signing at any license tier.
How Solutions2Share External User Manager Fills the Gap
Solutions2Share External User Manager (EUM) is a Microsoft 365 app — ISO/IEC 27001:2022 certified, available on Microsoft AppSource — that governs the Entra B2B guest lifecycle across your Microsoft 365 tenant, including guests created by ad-hoc SharePoint and OneDrive file sharing.
Solutions2Share built EUM specifically in response to the SPO OTP retirement. Their Guest Import feature scans the entire Microsoft 365 tenant and surfaces all existing guest accounts — including those auto-created through SharePoint and OneDrive shares outside of Teams or Microsoft 365 Groups. From there, EUM applies structured lifecycle management to accounts that have no governance framework.
What EUM provides that Microsoft native E3 does not:
- Structured invitation workflows: guest access is requested and approved through defined processes — team owner or admin approval, defined access scope, compliance document signing (NDA, GDPR agreements, PDF/video/HTML, DocuSign integration) before access is granted
- Automated lifecycle rules: time-based expiry, inactivity-based removal, and trigger/metadata-based lifecycle — without requiring E5 or Entra ID Governance licensing
- Access reviews without E5: automated review notices route to the inviting user on a configurable schedule — for example, the user who invited a guest receives a review request after 60 or 90 days
- Guest removal: EUM can remove a guest from the Microsoft 365 tenant and from Entra ID (Azure Active Directory), not just from Teams
- Audit reporting: CSV export of guest metadata, lifecycle events, and signed compliance documents — supports security audits and compliance documentation
For organizations on E3 without Entra P1 licenses upgrades in budget, EUM is the practical path to guest lifecycle management without a licensing tier jump.
What to Do Before July 2026
Microsoft’s official position is that no admin action is required. That is technically accurate — the transition is automatic. What it does not account for is the access denied window that starts in July for any external user on a pre-rollout OTP link without a B2B guest account.
Work through this before the deadline:
- Check your tenant setting: run Get-SPOTenant | Select EnableAzureADB2BIntegration to confirm current state (this setting will be removed after May 2026)
- Generate external sharing reports: use the SharePoint admin center external sharing report and PowerShell to identify OTP users without B2B guest accounts — prioritize active business relationships first
- Run a Purview audit log query: search Microsoft Purview audit logs for EmailAuthOTPAuthenticationSucceeded over 180 days to find users still actively using SPO OTP
- Preserve access proactively: create B2B guest accounts for active OTP users before July, or trigger auto-provisioning by re-sharing at least one file via the Entra Invitation Manager
- Verify Entra prerequisites: confirm your Microsoft Entra organizational relationships and Entra B2B Collaboration policy allow guest invitations, and that email OTP for B2B guests is not disabled in Entra External ID settings
- Plan for guest sprawl: decide your governance model before the auto-provisioning volume builds. If you are on E3 without Entra P2/Governance budget, evaluate a lifecycle tool before the accounts accumulate
What Windows Management Experts Can Do
The pre-July cleanup is a one-time task. The guest lifecycle governance problem — deciding which tools to use, configuring lifecycle rules, setting up access reviews, onboarding external users with compliance documentation — is ongoing and gets harder to manage the longer it goes unaddressed.
WME is a Microsoft Solutions Partner with a Modern Work practice. We implement Solutions2Share External User Manager and help organizations build a guest governance framework before guest sprawl becomes an audit liability. If you are working against the July 2026 deadline or building a governance model from scratch, we can help.
Your External Users Will Lose Access in July 2026
Microsoft's OTP retirement is automatic — the access denied errors aren't. WME helps Microsoft-first organizations identify at-risk external users, create B2B guest accounts before the deadline, and build a guest governance model that doesn't fall apart after August 31.
Talk to a Microsoft Expert
