Microsoft SharePoint One-Time Passcodes Are Retiring: What To Do Next

If your organisation uses SharePoint Online or OneDrive for Business to share files with external users, there's a change you need to act on.

Microsoft published Message Center post MC1243549 announcing the retirement of SharePoint One-Time Passcode (SPO OTP) authentication. New external sharing invitations switched to Microsoft Entra B2B starting May 2026. Existing OTP-based sharing links will stop working entirely by August 31, 2026.

If your team hasn't reviewed this yet, some of your external collaborators may already be losing access or are about to.

Summary

• Microsoft is retiring SharePoint One-Time Passcode (OTP) authentication for external sharing

• New invitations moved to Entra B2B from May 2026; all OTP links retired by August 31, 2026

• Existing OTP-based sharing links will stop working — external users lose access unless reshared via guest accounts

• Any organisation that shares SharePoint or OneDrive files, folders, or sites with external users using the OTP method

• Action Required: Identify OTP-shared content, reshare via Entra B2B guest accounts, and communicate the change to affected external users

• MC reference: MC1243549
  
  

What Is SharePoint One-Time Passcode (OTP) Authentication?

Why Microsoft Is Retiring OTP and Why It Matters

The shift to Microsoft Entra B2B reflects a fundamental change in how Microsoft expects you to manage external identity.

Under the OTP model:

• No guest account is created in your Entra ID directory
• Conditional Access policies do not apply to OTP sessions
• You cannot enforce MFA on external users accessing content via OTP
• Audit logs provide limited traceability
• There is no mechanism to revoke access for a specific external user without deleting the sharing link entirely

Under Entra B2B:

• Every external collaborator gets a guest account in your directory
• Your Conditional Access policies apply, including MFA requirements
• Access can be reviewed, governed, and revoked per user
• Audit trails are unified alongside internal user activity

For organisations subject to ISO 27001, Cyber Essentials, NIS2, or sector-specific data governance requirements, the OTP model has represented a gap in external identity governance. Microsoft's retirement removes OTP as an option, but the security and compliance benefits of Entra B2B are only realised if your organisation actively manages the transition and configures guest access appropriately.

The Disruption Risk: Existing Links Stop Working

This is the part that catches organisations off guard.

It's not just that new shares will work differently. Existing sharing links created using OTP authentication will stop working by August 31, 2026. External users who currently access your SharePoint and OneDrive content via OTP links will lose access — silently, with no automatic notification to them or to you.

Think about what that means in practice:

• A supplier who accesses a shared folder of compliance documents
• A consultant reviewing a project site
• A client receiving a shared report via OneDrive

If those links were created via OTP, they will break. The external user will hit an error, they'll contact the internal user who shared it (if they can find them). That internal user may have left, or may not understand why the link is broken.

As Tony Redmond notes, the transition creates a proliferation of guest accounts that organisations may not be prepared to manage. But unmanaged guest accounts are a better security posture than unmanaged OTP links with no audit trail.

How to Prepare for SharePoint OTP Retirement Before August 31

Step 1: Understand your current OTP exposure

Run a SharePoint sharing report or use the SharePoint admin centre to identify content shared via OTP. The SharePoint admin centre provides external sharing reports that can help surface OTP-authenticated links.

Step 2: Review your Entra B2B and guest access settings

Check that your organisation's Entra External Identities settings allow B2B guest invitations. If your organisation has previously restricted guest account creation, this may need adjustment before resharing can proceed. You can view MC1243549 on ChangePilot for a structured breakdown of the change.

Step 3: Preserve access for existing external users before July

For external users who currently have access via OTP links, you have two options:

• Proactively create guest accounts in your Entra ID directory for those collaborators. This is the approach Microsoft recommends in its FAQ: existing shared links will continue to work once a guest account exists for that user, without needing to reshare.
• Reshare the content via the Entra B2B method. The external user receives a new invitation, a guest account is created, and they authenticate using their existing work, school, or Microsoft account.

Proactively creating guest accounts is preferable when you have a known list of external collaborators, as it avoids broken links entirely.

Step 4: Communicate with affected external users

Don't let your external collaborators discover this through a broken link. Proactively reach out to external users who rely on OTP-shared content and let them know access will be refreshed via a new invitation.

Step 5: Prepare your helpdesk

Expect inbound queries from external users who suddenly cannot access content. Brief your helpdesk team on the change, the timeline, and the resharing process before August 31,  not after.

Step 6: Review your guest account lifecycle processes

Entra B2B creates guest accounts. Those accounts need to be governed. If you don't already have an Access Review process in Entra ID, now is the time to set one up, particularly before a wave of new guest accounts lands in your directory.

The Broader Pattern of M365 Change

OTP retirement is part of a consistent direction of travel from Microsoft: consolidating external identity under Entra ID, enforcing Conditional Access as a baseline, and closing off older authentication mechanisms that pre-date modern identity governance.

It follows the same logic as the end of Basic Authentication, the deprecation of legacy protocols, and the push toward phishing-resistant MFA. Microsoft is tightening the security baseline across Microsoft 365 by changing defaults and retiring features, rather than waiting for organisations to opt in.

The challenge is that each of these changes lands as a Message Center notification, often with a deadline measured in weeks or months. Most IT teams don't have a reliable system for catching every one that affects them. This is what M365 evergreen change looks like at scale, and the OTP retirement has already drawn significant discussion across the Microsoft community.

Frequently Asked Questions

What is SharePoint One-Time Passcode (OTP) authentication?

SharePoint OTP is a method that lets external users access shared SharePoint or OneDrive content by entering a temporary email code, without needing a Microsoft account or guest account. Microsoft is retiring this method and replacing it with Microsoft Entra B2B guest accounts. The change is documented in Message Center post MC1243549.

When do SharePoint OTP sharing links stop working?

Microsoft began switching new external sharing invitations to Entra B2B in May 2026. OTP retirement begins July 2026. Existing OTP-based sharing links will start failing from that point, with full retirement across all Microsoft 365 environments complete by August 31, 2026.

Does this affect existing sharing links?

Yes. This is the critical point. OTP retirement begins July 2026, meaning existing OTP-based sharing links will start failing from that point. To preserve access, you can either proactively create Entra B2B guest accounts for existing external collaborators (which allows their current links to keep working) or reshare the content via a new B2B invitation. Full retirement is complete across all Microsoft 365 environments by August 31, 2026.

What is Microsoft Entra B2B and how is it different?

Microsoft Entra B2B (formerly Azure AD B2B) creates a guest account in your directory for each external collaborator. Unlike OTP, Entra B2B allows you to enforce Conditional Access policies, require MFA, conduct Access Reviews, and maintain a full audit trail of external user activity.

Do I need to do anything before July 2026?

Yes, and July is the more accurate deadline to work to, as that is when OTP retirement begins and links start failing. You should identify content shared via OTP, then either proactively create guest accounts for those external users or reshare the content via B2B invitation. Communicate the change proactively. Doing nothing means external collaborators will begin losing access from July 2026.

Will this create a lot of guest accounts in our directory?

Yes. Every external user reshared via Entra B2B will have a guest account created in your Entra ID directory. This is by design — it gives you governance and control. If you don't already have a guest account lifecycle or Access Review process, plan to implement one alongside this transition.

What if we have strict external sharing restrictions?

If your organisation has previously disabled or restricted guest account creation in Entra External Identities, you will need to review those settings before the August 31 deadline. If guest accounts cannot be created, external users will not be able to access content at all after OTP retirement.