External users who access SharePoint content today via a one-time passcode sent to their email will lose that access in July 2026, even for files they have opened repeatedly for months or years. Microsoft is retiring SharePoint Online One-Time Passcode (SPO OTP) authentication and replacing it with Microsoft Entra B2B identity for all specific-people external sharing.
What Is SharePoint One-Time Passcode Authentication
When a SharePoint admin or document owner shares a file or folder with a specific external email address, SharePoint can authenticate that recipient in one of two ways: via the recipient's existing Microsoft account or work account, or by sending a numeric one-time passcode to their email and accepting that code as proof of identity. The second method, SPO OTP, has been the fallback for external users who do not have a Microsoft account.
OTP asks nothing of the recipient beyond access to their inbox. No account creation, no password, no MFA. Microsoft is retiring it because OTP-authenticated users exist entirely outside Microsoft Entra ID. They have no guest account, fall outside the scope of Conditional Access policies, and are invisible to guest lifecycle management. Maintaining a parallel authentication path that bypasses Entra ID controls is incompatible with the direction of Microsoft 365 security governance.
The Retirement Timeline (MC1243549)
- May 2026 (already underway): New external sharing invitations use Microsoft Entra B2B automatically. SharePoint no longer issues OTP for newly created sharing links in tenants where the rollout has reached them. Newly invited external users authenticate with a Microsoft account, a work account, or a new Entra guest account.
- July 2026: Retirement extends to existing OTP-authenticated links. External users trying to access previously shared content receive access denied. Files are not deleted; only the OTP authentication path is removed.
- August 31, 2026: Full retirement completes across all commercial Microsoft 365 environments, including GCC, GCC High, and DoD.
Which Organisations Are Most at Risk
Tenants that have already required a Microsoft account for all external sharing will see minimal disruption. Organisations most likely to have affected users are those where:
- External users routinely access shared content via OTP links, particularly contractors, clients, and partners who do not have Microsoft 365 licences.
- Sharing links have been active for months or years with no governance review.
- The tenant has never enforced Microsoft account requirements for external sharing at the tenant or site level.
If your organisation shares documents regularly with external parties using default SharePoint sharing settings, some of those links rely on OTP authentication. The retirement affects both SharePoint Online and OneDrive for Business sharing links of this type.
Steps Admins Should Take Before July 2026
- Identify active OTP-authenticated sharing links. The Microsoft Purview compliance portal surfaces sharing activity events. ShareMaster's Shared Links and Permissions feature gives administrators a browsable view of active sharing links across a site or library, making it straightforward to identify specific-people links tied to external recipients who likely have no Entra guest account.
- Notify affected external users before July. Give recipients advance notice that their current access method is changing. Explain that they will need a Microsoft account to continue accessing shared content. A free Microsoft account (outlook.com) is sufficient. Proactive communication prevents disruption arriving as unexplained access failures.
- Re-issue or restructure sharing for critical external relationships. For regularly accessed content shared with known partners, adding them as Entra B2B guests directly provides more stable, governable access than per-link OTP sharing. Guest accounts bring them under your Conditional Access policies and make future access management consistent.
- Review Conditional Access policies for guests. Once external users authenticate via Entra B2B, any guest-scoped Conditional Access policies apply to them. Confirm those policies are appropriately scoped so legitimate external access is not inadvertently blocked by existing MFA or device compliance requirements targeting guest accounts.
- Clean up stale sharing links while reviewing. This transition is a useful prompt to audit all active external sharing, not just OTP links. Removing links to content that no longer needs external access reduces your sharing footprint. See the guide to auditing SharePoint shared links for a step-by-step approach.
For a reference on what each SharePoint external sharing setting permits, see the SharePoint external sharing settings reference.
Frequently Asked Questions
Will existing SharePoint OTP links stop working in July 2026?
Yes. External users who previously authenticated via SPO OTP will receive an access-denied error on those links starting in July 2026. Files are not deleted. To restore access, the content must be re-shared so the external user can authenticate via a Microsoft account or an Entra B2B guest account.
Are anonymous SharePoint sharing links affected by this retirement?
No. Anonymous links (anyone with the link) are not affected. This change applies specifically to specific-people sharing links that used OTP as the authentication method. If your tenant policy permits anonymous links, those continue to work after August 2026.
Does the OTP retirement affect SharePoint site permissions?
No. External users who already have an Entra B2B guest account or a work or school account and were added to a SharePoint site directly are not affected. Only users who relied on email one-time passcodes to open sharing links will experience disruption.