Change in the share to specific users process in SharePoint Online and OneDrive for Business

Recently, this appeared in the Microsoft 365 message center:

[OneDrive for Business, SharePoint Online] New Tenants as of March 31 will have Azure B2B Integration with SharePoint enabled by Default [MC526130]

Description

Message ID: MC526130

Published date: 11/03/2023

Category: Stay informed

Tags: Admin impact

Relevance: Processing

We’re making some changes to the default configuration for new tenants for Azure B2B integration with SharePoint & OneDrive.

When this will happen:

Starting March 31, 2023, new tenants will have Azure B2B Integration with SharePoint & OneDrive enabled by default.

How this will affect your organization:

This message is for your information and there is no impact to existing tenants or tenants created before March 31, 2023.

What you need to do to prepare:

No change is needed for existing customers. New tenants can opt out of using Azure B2B Integration using the SharePoint Online Management Shell.Please click Additional Information to learn more.

The major impact of this is that going forward, all newly created tenants will have this Azure B2B integration enabled by DEFAULT. That changes the way many have become familiar with when it comes to sharing files with specific users via an email address.

With this Azure B2B integration enabled the process now looks like:

The initial sharing process is identical. You select the files to share from the source location. Next, select the external user to share the file with, typically using their email address. Then you share the file as per usual. Nothing different yet.

The external user (in this case a Gmail account) gets a normal sharing message like shown above. They click on the link as usual and see:

They click Next and see:

They then select Send code to obtain an access code via email. Still nothing appears to be different.

In the background however, things are quite different. As you can see above, an Azure B2B account is created in the source Azure AD for this external user.

After the destination user enters the sharing code they receive in email, the experience changes.

Because the sharing process has created a new guest Azure B2B account in the source tenant, all the security of the source Azure AD environment is enforced.

In this example, the tenant has Security defaults enabled, which is also now on by default in new M365 environments.

This will force the destination user who wants access to the document to enrol in MFA for M365 as shown above.

Only after they complete that process are they able to view the document as seen above.

Depending on how the source environment where the originating sharing is coming from is configured, the external user may also need to Accept the permission consent like shown above.

The key change now is that Azure B2B integration with SharePoint & OneDrive. is now ON by default.

The other unfortunate thing is that I don’t believe there is option where you can control this in the M365 administration portal. You must use PowerShell.

To view whether Azure B2B integration is on, you’ll need to connect to SharePoint Online with PowerShell. You can use my free script to do so here:

https://github.com/directorcia/Office365/blob/master/o365-connect-spo.ps1

Once you have successfully done that, as shown above, run the command:

Get-SPOTenant | Select *B2B*

If the result of this is True as shown above, then Azure B2B integration is enabled.

In summary then, if you have a new tenant in Microsoft 365 it will have Azure B2B integration with SharePoint and ODFB ENABLED and Security defaults ENABLED. That means when you share a file with a specific email address, that user will be required to complete MFA enrolment.

If you have a tenant that also includes Conditional Access, which would be operating in place of Security defaults, then the external user that the document is shared will be subject to your Conditional Access policies like any other user!  This means, for example, if you have a Conditional Access policy that does location blocking (by IP address typically), and the external user is outside the allowed configured locations, their access to that document will be blocked.

For example, if you have a Conditional Access policy that only allows compliant devices, the email received by the external looks like:

and clicking on the document link results in:

given that the device the external user is on is not compliant as it is not part of the source Azure AD.

The official Microsoft documentation on this is here:

SharePoint and OneDrive integration with Azure AD B2B

and importantly, if you want to disable the Azure AD B2B integration you must return to PowerShell and run the command:

Set-SPOTenant -EnableAzureADB2BIntegration $false

When the Azure B2B Integration feature is enabled is makes a big change to the way that specific sharing is done. Having that now enabled by default on tenants is going to be a surprise to those who are not aware of this. Hopefully though, given you have read this far, you’ll be prepared for and can make an informed decision as to whether you want the additional security for external user sharing to be subject to your Azure AD policies. You’ll also know how to turn it off if you don’t want it.