Information
Azure AD B2B provides authentication and management of guests. Authentication happens via one-time passcode when they don't already have a work or school account or a Microsoft account. Integration with SharePoint and OneDrive allows for more granular control of how guest user accounts are managed in the organization's AAD, unifying a similar guest experience already deployed in other Microsoft 365 services such as Teams.
Rationale:
External users assigned guest accounts will be subject to Azure AD access policies, such as multi-factor authentication. This provides a way to manage guest identities and control access to SharePoint and OneDrive resources. Without this integration, files can be shared without account registration, making it more challenging to audit and manage who has access to the organization's data.
Impact:
Azure B2B collaboration is used with other Azure services so should not be new or unusual. Microsoft also has made the experience seamless when turning on integration on SharePoint sites that already have active files shared with guest users. The referenced Microsoft article on the subject has more details on this.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.
Solution
To enable Azure AD B2B integration using PowerShell:
Connect to SharePoint Online using Connect-SPOService -Url https://tenant-admin.sharepoint.com, replacing 'tenant' with the appropriate value.
Run the following command:
Set-SPOTenant -EnableAzureADB2BIntegration $true
Run the audit steps to ensure the value is now True.