Microsoft has opened a public preview that, for the first time, lets organizations invite external partners, contractors, and guests to access Azure Virtual Desktop and Windows 365 Cloud PCs using their own identities. The update, which rolled out this month, means IT teams can skip creating full internal accounts for outsiders—but the preview also imposes hard limits on profile storage, policy enforcement, and on-premises resource access that will dictate where you can safely use it.
What the Preview Delivers (and What It Doesn’t)
At its core, the new capability allows you to invite an identity from outside your Entra ID tenant—whether from another Entra tenant, a social provider that federates via OpenID Connect, or other external sources—and then assign that guest user to an Azure Virtual Desktop app group or a Windows 365 Cloud PC. The invited user authenticates with their own credentials, no separate corporate account needed. Microsoft’s documentation confirms that this works for both pooled and personal desktop scenarios, as long as the underlying infrastructure meets a strict set of prerequisites.
The Technical Must-Haves
Before you send out invites, every session host or Cloud PC that will serve external users must check these boxes:
- Operating system: Windows 11 Enterprise, version 24H2, with the September 2025 cumulative update (KB5065789) or later. This is non-negotiable; older builds will not support the external identity flow.
- Join state: The machine must be Microsoft Entra joined. Hybrid-joined or AD-joined hosts are out of scope for this preview.
- Single sign-on: SSO must be configured and enabled on the host pool or Cloud PC. Without it, Entra tokens won’t be passed seamlessly, and users will hit roadblocks.
- Client: External users must connect through the Windows App (on Windows) or a web browser. Legacy Remote Desktop clients are not supported.
Microsoft also reminds administrators to review licensing guidance for external identities. While it doesn’t go into detail in the preview docs, Cloud PC licenses and Entra External ID guest licensing may both factor into cost, so verify before scaling beyond a handful of test users.
The Hard Limitations
Now the part that will separate the pilot from production: the preview draws sharp lines around what external identities cannot do.
- No FSLogix profile containers. External users get local profiles only. On pooled AVD session hosts, that means every sign-in from a new host spawns a fresh profile; there’s no roaming of user state. If you rely on FSLogix for a persistent experience, external users on pooled hosts will feel the difference immediately. Windows 365 Cloud PCs—which have persistent disks—are a workaround for persistence, but pooled AVD scenarios require acceptance of stateless sessions.
- Intune user-based policies don’t apply. Device configuration policies assigned to the external user won’t land on the session. You must shift to device-targeted policies. In short, you can’t enforce BitLocker, configuration baselines, or other security settings through user-scoped assignments; your governance becomes device-centric for those sessions.
- No Kerberos or NTLM to on-premises resources. External users cannot Authenticate to on-prem file shares, legacy apps, or anything that requires a Windows integrated auth token. If your AVD or Cloud PC workloads depend on Kerberos for back-end access, you’ll need alternative paths—modern auth gateways, reverse proxies, or hybrid identity workarounds.
- Cloud availability is limited. The preview runs only in the Azure commercial public cloud. Invitations from Azure Government or Azure operated by 21Vianet are not supported, and cross-cloud invites are blocked.
- Token protection nuances. Conditional Access policies that require token protection may behave differently for external identities. Microsoft’s docs note that platform support varies, so test your CA rules with guest accounts before enforcing them.
How the Change Affects Different Roles in Your Company
The preview’s value proposition changes depending on who you are inside the organization.
For IT Administrators
You get a quicker path to onboard partners. Instead of creating and managing full internal accounts, you invite an external identity and assign a desktop resource. Provisioning time shrinks, and you avoid the sprawl of “shadow IT” accounts. But you’ll spend more effort upfront reworking policies: Intune assignments need a device-first lens, profile persistence must be addressed (likely by steering external users toward Cloud PCs), and any on-premises dependencies must be mapped and mitigated.
For Security Teams
The attack surface shifts. Guest accounts are now logging into your virtual desktops, so you’ll want to tighten Conditional Access: require MFA, compliant devices, or approved apps. Because Intune user policies don’t apply, device-level compliance checks become your primary enforcement lever. Set up just-in-time access, automated reviews, and short token lifetimes for external identities. Audit logs for guest sign-ins must feed into your SIEM, and you’ll need to treat stale guest accounts as a high-priority cleanup item.
For Business Decision-Makers
External identity support can shorten project kickoffs and reduce the friction of temporary staffing. A contractor can start on day one using her own Google or Microsoft account, without waiting for an IT ticket. However, the limitations may push you toward different licensing choices. If the contractor needs a persistent desktop with full access to on-prem file shares, the preview’s restrictions might force a more traditional hybrid account or a workaround. Factor that into project budgets—Windows 365 Cloud PCs are costlier per user but deliver persistence; AVD pooled hosts are cheaper but stateless without FSLogix.
Why Now: The Push to Let Outsiders In
External identity support for desktops didn’t materialize overnight. Microsoft has been steadily expanding the Entra External ID platform, adding OpenID Connect federation and building bridges between tenant boundaries. Meanwhile, the pandemic-era shift to hybrid work normalized the idea that a user’s productivity shouldn’t depend on where their account was born. Before this preview, though, Azure Virtual Desktop and Windows 365 were walled gardens: you either had a full internal account or you didn’t get in. Organizations bridged the gap with clunky workarounds—creating fake user objects, syncing accounts from partner AD forests, or maintaining parallel tenants. Those workarounds increased management overhead and risk.
The public preview closes that gap, at least partially. It aligns desktop services with the same external identity model already present in Teams, SharePoint, and other Microsoft 365 apps. For IT, the message is clear: Microsoft intends to make cloud desktops a first-class citizen for collaboration, not a silo.
How to Get Started: A Pilot Checklist
If you’re ready to test the waters, here’s a concrete sequence to follow:
- Verify OS and patch levels. All target session hosts or Cloud PCs must run Windows 11 Enterprise 24H2 with KB5065789 or later. Re-image or update existing hosts as needed.
- Ensure Entra join. Check that hosts are cloud-joined, not hybrid. If you’ve been postponing cloud-only join for VDI, now’s the time.
- Configure single sign-on. Follow Microsoft’s SSO setup guide for AVD host pools or Windows 365 Cloud PCs. Test the flow with an internal account first.
- Decide on a desktop model for external users.
- If persistence isn’t critical and you want lower cost, pooled AVD hosts work—but accept that FSLogix won’t roam profiles.
- If the external user needs a reliable, persistent environment without profile headaches, provision a Windows 365 Cloud PC. - Rework Intune policies. Shift from user-targeted device configuration to device-targeted assignments. Create a compliance baseline for the session hosts/Cloud PCs that will serve guests.
- Craft Conditional Access policies specific to external identities. Enforce MFA, require approved clients, and consider device compliance where possible. Test token protection settings.
- Invite a small pilot group. Start with a friendly partner or contractor, walk through the connection using Windows App or browser, and validate app access, printing, and file shares.
- Monitor authentication logs and user experience. Check for SSO failures, unexpected prompts, or access denials to on-prem resources. Adjust policies and educate your pilot users on the preview’s boundaries.
- Plan for the transition out of preview. Keep an eye on Microsoft’s roadmap. If the preview constraints—especially the lack of FSLogix—are deal-breakers for wide rollout, hold off and track announcements.
Looking Ahead
Microsoft hasn’t published a GA date, but the company’s pattern with Entra features suggests a gradual expansion. The most requested fixes—FSLogix support, broader cloud region availability, and a path for Kerberos access—are logical next steps. In the near term, treat the preview as a building block for partner collaboration scenarios that don’t need persistent profiles or on-prem authentication. For everything else, keep your hybrid account workarounds warm and watch the update channels. The door is open, but you’ll want to know exactly which rooms you can walk into before you invite the whole team.