Azure Virtual Desktop using external identities part 1

calendar Oct 20, 2025 · 4 min read · Azure Journey IaC Infrastructure Best Practices Templates Bicep Update External Identities Azure Virtual Desktop Powershell  ·
Share on: linkedin copy

External Identities in preview for Azure Virtual Desktop.

Finally! A long-awaited wish has come true: External Identities can now be used in your organization to log in to Azure Virtual Desktop.

It seemed so simple, invite a guest user or create a link with another organization, and they would be able to log in to my Azure Virtual Desktop. However, in practice, this was not possible until last week. Why is this option so desirable? Simple, sometimes it is useful to allow suppliers, B2B partners, or customers to log in to your environment without first having to enter them into your own Entra ID.

Current limitations when using External Identities.

But are there limitations? Yes! but regardless of these limitations, it is a step in the right direction. The limitations are:

  • FSLogix: Not supported; external users get a new profile each time they connect, there are ways to work around it will let you know in part 2.
  • Intune policies: User-based policies don’t apply only device-based ones do.
  • Availability: only available in the Azure Public cloud.
  • Cross-cloud invites: Only supports users from the commercial Azure cloud or registered identity providers.
  • Token protection: Limited support for external identities.
  • Kerberos/NTLM: On-premises authentication using these protocols isn’t supported.
  • Entra joined: Can only be used with Entra joined session hosts.

Apart from these limits discussed in the Microsoft documentation, there are a few more in practice that are not described, but the functionality is in preview for a reason.

  • The cloud app cannot be used. You will need to log in with a rewrite URL in the browser when you have been added and want to log in as a guest user, in part 2 I will let you see some examples how to configure this.

What are the requirements.

Below is a summary taken from Microsoft documentation.

  • Session host operating system: The session host must be running Windows 11 Enterprise versions 24H2.
  • Cumulative Updates for Windows 11 (KB5065789) or later installed.
  • Session host join type: The session host must be Entra joined.
  • Single sign-on: Single sign-on must be configured for the host pool.
  • Windows App client: The external identity must connect from the Windows App on Windows or a web browser.

However, I can say with certainty that the Windows App is not working at the moment when you test it. This is probably because the Windows App cannot handle the other organisation and therefore cannot apply a rewrite.

As im writing this article Microsoft is publishing a fix for this bug, you need to change a registry key to use the "Windows App"

Also, because these are Entra joined hosts, you will need to apply a different configuration to the Azure Virtual Desktop session host, such as user rights and roles for ‘Virtual Machine login’ and ‘Desktop Virtualisation User’.

As I was saying earlier, I will show you in part 2 how to do this.

What about licensing?

If you're deploying Azure Virtual Desktop for use with external identities, there may be special considerations for how you license Azure Virtual Desktop and other products and services from Microsoft.

Anyone who connects to Azure Virtual Desktop (or any other Microsoft Online Service) needs to have a valid license, unless the service’s terms specifically say otherwise. This also applies to external collaborators, like contractors or partners.

If an external user already has a license in their own organization, that license usually doesn’t cover access to resources in your tenant. Because of that, it’s best to assign them the same type of license you use for your internal users, directly to their guest account in your Entra ID tenant. This ensures they can access AVD and other services without running into permission or compliance issues.

ProductRecommendation for licensing B2B collaborators
Azure Virtual DesktopPurchase and assign any license for internal business purposes from the Eligible licenses to use Azure Virtual Desktop table.

Example: A Microsoft 365 E3 license you've assigned to an external collaborator grants Azure Virtual Desktop access rights within your tenant.

More information can be found in the Microsoft Docs.

Conclusion.

In part 1, we described the advantages and disadvantages of this new preview feature. We also explained which licences need to be used for this. In part 2, we will move on to the technical details and how you can set this up to create a usable test.