Microsoft is retiring one-time passcode (OTP) authentication for SharePoint and OneDrive external sharing this year, and it's easy to read that as a routine deprecation notice - one more line item for IT to clear before a deadline. It isn't. OTP links let an external recipient open a shared file by entering a code sent to their email: no account, no directory footprint, nothing to provision or later remove. That's exactly the part going away. If you share files externally, every collaborator who needs continued access after August 31 requires a new directory-backed guest identity, created not because anyone decided your access model should include them, but because a link needs to keep working. That guest then inherits your Conditional Access, Identity Protection, and MFA policies , whether or not anyone decided that should happen.
The timeline:
- May: new external sharing invitations shift to Entra B2B by default.
- July: OTP retirement begins - older OTP links return Access Denied unless a B2B guest account exists or the file is re-shared.
- August 31: full retirement completes across commercial, government, and sovereign tenants.
Why You Should Care
A guest account is a directory identity. It inherits your Conditional Access, Identity Protection, and MFA policies, and it doesn't expire when the project does - it needs a review cadence, an offboarding path, and, for regulated organizations, a place in your access control documentation. It also becomes part of what your DLP policies, sharing platform, and AI systems have to reason about when they touch tenant content. This means that guest accounts can very quickly lead to increasing your attack surface with increased standing privilege if not managed properly.
None of that is new - unmanaged guest accounts are a well-documented governance and security gap. What's new is the scale at which it's about to happen automatically. Every partner, vendor, supplier, and client who has ever clicked an OTP link is a candidate for a guest account your directory didn't have last week, created not because someone decided your access model should include them, but because a link needed to keep working. That's a governance decision. It's just being made by default instead of on purpose.
It lands hardest where external sharing is routine and scrutiny is high - healthcare, financial services, legal, government contracting, anywhere deal rooms and vendor exchanges are part of the job. Try explaining to an auditor, or an acquirer's due-diligence team, why your directory holds thousands of guest accounts with no documented purpose. That conversation gets harder every quarter the accounts sit there unreviewed, and the review workload compounds the same way - most of those accounts will never be touched again, but someone still has to check.
Your alternative today: guest access
Entra B2B is a real fix for authentication. Directory-backed identity and enforced Conditional Access close a genuine gap OTP left open. But it doesn't solve data movement: once a guest authenticates, a downloaded copy of the file is outside your DLP controls, outside your audit trail, and outside your visibility, especially on a partner's laptop or personal device. Identity and data movement are separate problems, and OTP retirement only fixes the first one.
What it leaves you holding is overhead you didn't ask for:
A new directory identity for every one-time collaborator
Review, documentation, and offboarding work for relationships that may last weeks
More surface area for DLP, sharing platform, and AI systems to reason about
A better path: keep OTP, lose the guest sprawl
This is the safe landing: OTP doesn't have to disappear from your environment just because Microsoft is retiring its own implementation of it. With eSHARE, OTP remains available as a per-share control, independent of Microsoft's retirement timeline, for collaborators who shouldn't be provisioned as directory guests at all - one-time partners, short-term reviewers, external auditors, suppliers you work with once.
Here's how it works:
- The collaborator authenticates with their own organization's credentials via OTP.
- They work on the document inside the eSHARE portal - no local copy.
- Access is revoked when the engagement ends.
- No guest account is created; no file leaves the tenant.
- A full record of who accessed what, and when, already exists.
Picture a supplier reviewing a technical spec for a single bid cycle, a payer partner reviewing a claims file, or a law firm giving opposing counsel access to a due-diligence data room for the length of a deal. In every case, access is external - the data isn't. That's the distinction Entra B2B was never built to make.
Why this matters beyond OTP
We've written before about teaching technology to see - giving systems the context to act on documents without a human supervising every decision. OTP retirement is the same problem from a different angle: decide, per share, which collaborators need a directory identity and which just need access to a file for a while, rather than letting guest accounts accumulate by default and sorting out the lifecycle review later.
That decision is easier to make when it isn't made under a deadline, and August 31 is closer than most remediation plans assume. eSHARE has decades of Microsoft experience on staff ready to help ensure a safe landing if OTP deprecation impacts you. Contact us if we can help.
