Home » Blog » AVD + Entra ID Guest Users: The Ultimate Microsoft Azure B2B Access Guide!

AVD + Entra ID Guest Users: The Ultimate Microsoft Azure B2B Access Guide!

Managing external access in Microsoft Azure has always been a challenge—especially for organizations using Azure Virtual Desktop (AVD). Until recently, giving users outside your Azure tenant access meant creating new accounts and managing additional credentials. That’s no longer the case. With Entra ID Guest Users and B2B collaboration, you can now invite external identities to your AVD environment securely and efficiently.

Why This Matters

Microsoft announced that support for external IDs is now generally available in AVD and Windows 365. This feature allows guest users to log in using their existing credentials from their home organization or even social identity providers like Google or Facebook. It’s a game-changer for businesses that need to collaborate across tenants without compromising security.

Understanding Identity Types in AVD

Before diving into the setup, it’s important to understand the identity types supported by AVD. Active Directory Integrated identities are hybrid identities synced from on-prem Windows AD or Entra DS. Cloud-native identities exist only in Entra ID and work with Entra ID-joined hosts.

External users and external identities have different roles in AVD, External users are people from outside your organization who sign in to access SaaS applications hosted on AVD. This requires creating a new account within your tenant for each user. These accounts were managed in much the same way as those for internal users but have different licensing requirements. External users require commercial licenses for accessing remote apps or both remote apps and remote desktops.

In contrast, external identities are guest users invited to your tenant who authenticate using their existing credentials from their home organization or even social identity providers like Google or Facebook. Known as B2B guest accounts, they allow authentication in the source tenant while granting authorization in your resource tenant. This approach eliminates duplicate accounts and simplifies collaboration. Additionally, you can enforce MFA and conditional access policies on these guest accounts.

Previously, external identities couldn’t use Kerberos or FSLogix, but recent updates now allow FSLogix support for cloud-only identities, including external identities, making profile management much easier.

Key Requirements and Considerations

To enable guest access in AVD, keep these points in mind:

Clients must run Windows 11 Enterprise 24H2 or later with the September 2025 cumulative updates.
Session hosts must be Entra Joined (hybrid join isn’t supported).
Single sign-on must be enabled in the host pool.
Guest users can only use the Windows App client or Windows App Web.

Additionally, licensing for external identities in AVD requires the same type of licenses as internal users. Each B2B user must be assigned a valid license, such as a Microsoft 365 Enterprise “E” license, Education “A” license, or VDA license within the resource tenant. If multi-factor authentication or Intune configuration is used, appropriate licenses for these features are also required. It is important to note that licenses do not carry over between tenants; even within a multi-tenant organization, users must hold the necessary licenses in the resource tenant to access AVD as guests, regardless of their license status in their home tenant.

Step-by-Step Process

In the video above, we walk through inviting a Guest User in Entra ID, accepting the invitation and completing MFA onboarding, logging into AVD as a guest user, and verifying FSLogix profile support for external identities.

Ready to simplify external access in your AVD environment? Watch the full video for a detailed walkthrough, including tips for licensing and configuration.