Azure Virtual Desktop, Windows 365 Get External Identity Support in Public Preview

Microsoft has rolled out a new update that introduces external identity support in public preview for Azure Virtual Desktop and Windows 365 users. The feature enables organizations to securely invite external users into their Entra ID tenant to access virtual desktop resources.

What is an external identity?

An external identity refers to a user account that originates outside an organization’s primary directory, such as from another Microsoft Entra tenant or a social identity provider like Google or Facebook. These users are invited to access resources within the organization without being fully integrated into its internal identity system.

This approach helps organizations secure collaboration with partners, contractors, or guests while maintaining control over access and permissions. External identities are managed through Microsoft Entra ID and can be authenticated using modern, passwordless methods. However, they may have limited access to certain enterprise features.

Benefits of external identity integration

The new external identity feature in Azure Virtual Desktop (AVD) and Windows 365 offers significant benefits by allowing organizations to securely extend access to users outside their core directory, such as partners, contractors, or guest users. This capability streamlines collaboration by enabling external users to connect using their existing credentials.

Additionally, this feature supports modern authentication methods like passwordless sign-in, enhancing security and user experience. It also simplifies IT management by reducing the need for separate accounts or complex federation setups, which makes remote access more flexible and scalable.

Requirements

To enable the external identity support, session hosts must be Microsoft Entra joined, run Windows 11 Enterprise version 24H2 or later, and have single sign-on (SSO) configured. Moreover, external users must connect via the Windows App or a web browser.

However, Microsoft has acknowledged a couple of limitations when providing resources to external identities. The company noted that FSLogix profiles aren’t supported, Intune policies don’t apply to external users, and cross-cloud invites (e.g., from Azure Government or 21Vianet) are not allowed. Moreover, external identities can’t use Kerberos or NTLM for on-premises authentication.