Windows 365 and Azure Virtual Desktop support external identities, now generally available

With Windows 365 and Azure Virtual Desktop, organizations have been able to offer Windows delivered from the cloud to users to be productive, connect to IT resources, and to securely sign in across devices. Previously, you could only do so for member users, with accounts and credentials that are fully managed in your organization.

With our latest updates, you can provide access to users who are outside your organization by simply inviting them into your organization, without having to create and assign brand new, temporary accounts. We’re excited to announce:

• Connecting to Windows 365 and Azure Virtual Desktop with an external identity is now generally available
• Using FSLogix as a user profile management solution for external identities with Azure Virtual Desktop is now in public preview

What external identity support means

With support for external identities in Windows 365 and Azure Virtual Desktop, you can standardize your approach to virtualization for users that are either internal or external to your organization. External identities may include roles like contractors or third-party vendors. You can also leverage other Microsoft Entra investments for external identities:

1. Enforce conditional access (CA) controls specific to external identities
2. Enforce multi-factor authentication (MFA) registration for the external identity in your tenant
3. Enforce Global Secure Access (GSA) configuration on the Windows machine the external identity will be using to access your resources.

Note: Because external identities are cloud-only users and do not have a representation in Windows Server Active Directory, Kerberos authentication can’t be used.

In the screenshot above, you can see that Cameron Baker is originally from the Fabrikam (fabrikam.com) organization, but is seeing resources that the Contoso (windows365-demo.microsoft.com) organization has assigned to them as an external identity.

Assign a resource to external identities (generally available)

The admin flow for provisioning a Windows 365 Cloud PC or assigning Azure Virtual Desktop resources to an external identity is nearly identical to doing so for a member user in your tenant. The steps for assigning an external identity include:

1. Assigning the user the appropriate licenses.
2. Assigning the user to an Entra user group.
3. Assigning the Entra user group to the Cloud PC provisioning policy or Azure Virtual Desktop application group.

a.   Note: For Azure Virtual Desktop, make sure you also assign the Virtual Machine User Login Azure role-based access control (RBAC) role to the external identity on any Azure Virtual Machine (VM) they may sign in to.

After completing these steps, the user can access their assigned resources, just like other assigned users in your organization. For your Windows 365 or Azure Virtual Desktop environment, make sure to consider the following:

• You must configure Microsoft Entra single sign-on for the user’s connection.
• The Cloud PC or Azure Virtual Desktop session host must be Entra joined.
• The Cloud PC or Azure Virtual Desktop session host must be running Windows 11, version 24H2 or later with the 2025-09 Cumulative Updates for Windows 11 (KB5065789) or later installed.

Configure FSLogix on Azure Files for external identities (public preview)

To provide a streamlined experience in an Azure Virtual Desktop pooled environment for external identities, you can create a file share in Azure Files to store the FSLogix profiles for these identities. This capability is now in public preview.

To create an SMB file share for FSLogix profiles for external identities:

1. Create a new storage account and file share configured to use Microsoft Entra Kerberos authentication.
2. (New) When assigning permissions for the file share, use the new Manage access page to assign ACLs to the Entra ID group containing your external identities.
   In the screenshot above, you can see the Manage access page, where each row is an individual permission added to the SMB file share. In this example, WCX-External-Identities is the Entra group containing the external identities, and they have been assigned permissions in the file share which will be used to create and access each external identity user’s FSLogix profile container.
3. Configure FSLogix in your session hosts to use this Azure File share.

Once configured, the external identities can sign in to the Azure Virtual Desktop environment and have an FSLogix user profile just like other users in your organization. This provides a seamless experience when landing across different session hosts in the same host pool.

For full step-by-step instructions, see how to Store FSLogix profile containers on Azure Files using Microsoft Entra ID.

A more secure Bring Your Own Device (BYOD) strategy

These capabilities can help organizations looking for a more secure BYOD experience, or when provisioning identities to a contractor, external partner, and more.

To see the latest guidance from Microsoft on how to use Windows 365 to secure your BYOD strategy, visit the https://aka.ms/W365BYODeBook.

Additional resources

We continue to roll out more features to help organizations secure their Cloud PCs and VMs: See our other latest security announcements, here

• To see our Ignite announcements for Windows 365 and Azure Virtual Desktop, visit the Windows Experience blog here.
• To learn more about new Windows Cloud input protection capabilities for Windows 365 and Azure Virtual Desktop, visit here.

Continue the conversation. Find best practices. Bookmark the Windows Tech Community, then follow us @MSWindowsITPro on X and on LinkedIn. Looking for support? Visit Windows on Microsoft Q&A.