Detections
Analytics

5.2.3.7 (L2) Ensure the email OTP authentication method is disabled

Information

Authentication methods support a wide variety of scenarios for signing in to Microsoft 365 resources. Some of these methods are inherently more secure than others but require more investment in time to get users enrolled and operational.

The email one-time passcode feature is a way to authenticate B2B collaboration users when they can't be authenticated through other means, such as Microsoft Entra ID, Microsoft account (MSA), or social identity providers. When a B2B guest user tries to redeem your invitation or sign in to your shared resources, they can request a temporary passcode, which is sent to their email address. Then they enter this passcode to continue signing in.

The recommended state is to Disable email OTP.

Traditional MFA methods such as SMS codes, email-based OTPs, and push notifications are becoming less effective against today's attackers. Sophisticated phishing campaigns have demonstrated that second factors can be intercepted or spoofed. Attackers now exploit social engineering, man-in-the-middle tactics, and user fatigue (e.g., MFA bombing) to bypass these mechanisms. These risks are amplified in distributed, cloud-first organizations with hybrid workforces and varied device ecosystems.

Solution

To remediate using the UI:

 - Navigate to Microsoft Entra admin center https://entra.microsoft.com/.
 - Click to expand Entra ID > Authentication methods.
 - Select Policies.
 - Click on Email OTP.
 - Change the Enable toggle to the off position\\
 - Click Save.

Note: If the save button remains greyed out after toggling a method off, then first turn it back on and then change the position of the Target selection (all users or select groups). Turn the method off again and save. This was observed to be a bug in the UI at the time this document was published.

To remediate using Powershell:

 - Connect to Graph using Connect-MgGraph -Scopes "Policy.ReadWrite.AuthenticationMethod"
 - Run the following:

$params = @(
 @{ Id = "Email"; State = "disabled" }
)

Update-MgPolicyAuthenticationMethodPolicy -AuthenticationMethodConfigurations $params

Impact:

Disabling Email OTP will prevent one-time pass codes from being sent to unverified guest users accessing Microsoft 365 resources on the tenant such as "@yahoo.com". They will be required to use a personal Microsoft account, a managed Microsoft Entra account, be part of a federation or be configured as a guest in the host tenant's Microsoft Entra ID.

See Also

https://workbench.cisecurity.org/benchmarks/24619

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-2(1), 800-53|IA-2(2)

Plugin: microsoft_azure

Control ID: 448e4801a4ba1c9ca557bfaefbac6afd6e4d1f0c8bc9ceda1736e08db2f1bea0