Provide host pool access to external identities

This article explains the process of providing host pool access to external identities.

Prerequisites

Before providing host pool access, review the requirements and limitations for external identities.

Provide host pool access for external identities

To provide host pool access for external identities:

1. Follow the steps to Configure single sign-on for Azure Virtual Desktop using Microsoft Entra authentication to:

   1. Ensure that single sign-on is enabled in your tenant.
   2. (Optional) Hide the consent prompt.

2. Follow the steps to Deploy Microsoft Entra joined VMs with the following considerations:

   1. You can deploy Entra joined VMs to a new or existing host pool.
   2. Use an OS image running a supported OS (defined in the requirements and limitations for external identities).
   3. Ensure you make the following assignments with the Microsoft Entra user group containing the external identities:
      1. Assign the group to the application group.
      2. Assign the group either the Virtual Machine User Login or Virtual Machine Administrator Login Azure role-based access control (RBAC) role for each session host VM in the host pool. If you're using a session host configuration, this assignment isn't required.

3. Configure the host pool to enable single sign-on.

   Note

   You must enable single sign-on external identities to connect. Connection attempts using legacy authentication protocols will fail.

Connect to Azure Virtual Desktop resources with an external identity

Follow the steps to Manage user accounts in Windows App to sign in to a supported Windows App client with an external identity and connect to Azure Virtual Desktop resources.

Next steps

• Learn how to Configure the session lock behavior for Azure Virtual Desktop.

• If you encounter any issues, go to Troubleshoot connections to Microsoft Entra joined VMs.