Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Organizations often collaborate with external partners such as vendors and contractors. Traditional solutions for granting access to internal resources for external users typically lack visibility and granular security controls. Global Secure Access, built into Microsoft Entra, solves these challenges by using existing B2B guest identities and providing advanced security features like Conditional Access, Continuous Access Evaluation, and cross-tenant trust. This approach enables secure, efficient management of external user access without duplicating accounts or requiring complex federation.
The guest access feature in Global Secure Access allows partners to use their own devices and identities to access company resources securely. It supports bring your own device (BYOD) scenarios, enforces per-app multifactor authentication, and offers seamless multitenant switching for partner users. Administrators benefit from single-pane management for identity, access, and network policies, reducing operational overhead while improving governance. Integrated logging and telemetry across identity and network layers provide full visibility into guest activity, ensuring a secure and streamlined experience for external collaboration.
Important
The guest access feature is currently in PREVIEW. This information relates to a prerelease product that might be substantially modified before its release. Microsoft makes no warranties, expressed or implied, with respect to the information provided here.
Enable B2B guest access with the Global Secure Access client
Partners can enable the guest access feature with the Global Secure Access client, signed in to their home organization's Microsoft Entra ID account. The Global Secure Access client automatically discovers partner tenants where the user is a guest and offers the option to switch into the customer's tenant context. Guest users can access only assigned resources and only if they're included in the resource tenant's Private Access traffic forwarding profile. The client routes only traffic for the customer's private applications through the customer's Global Secure Access service.
Prerequisites
To enable B2B guest access with the Global Secure Access client, you must have:
Guest users configured in the resource tenant. For more information, see the following articles:
The Global Secure Access client, version 2.24.117 or later, installed and running on the device connected to the home tenant. To install the Global Secure Access client, see Install the Global Secure Access client for Microsoft Windows.
Tip
The home tenant doesn't need to have a Global Secure Access license.
Global Secure Access Private Access enabled on the resource tenant. Configure the Private Access traffic forwarding profile on the resource tenant and assign the profile to guest accounts.
At least one private application configured and assigned to guest accounts.
The Guest Access feature enabled on the client by setting the following registry key:
Computer\HKEY_LOCAL_MACHINE\Software\Microsoft\Global Secure Access ClientValue Type Data Description GuestAccessEnabled REG_DWORD 0x1 Guest access is enabled on this device. GuestAccessEnabled REG_DWORD 0x0 Guest access is disabled on this device.
Administrators can use a Mobile Device Management (MDM) solution, such as Microsoft Intune or Group Policy, to set the registry values.
Connect to the guest resource tenant
To enable B2B guest access with the Global Secure Access client, follow these steps:
- Launch the Global Secure Access client.
- Switch the client to the guest resource tenant:
- Select the Global Secure Access client icon in the system tray.
- Select the User menu (profile picture) and select the guest resource tenant from the list.
Tip
The home tenant doesn't need to have Global Secure Access configured for this step to work.
- Verify that you're connected to the guest resource tenant. When true, the Global Secure Access Organization displays the name of the resource tenant.
All the Global Secure Access tunnels to the home tenant (such as Private Access, Internet Access, or Microsoft 365 tunnels) disconnect and a new Private Access tunnel is created to the resource tenant. You should be able to access private applications configured on the resource tenant.
Switch back to the home tenant
- Select the Global Secure Access client icon in the system tray.
- Select the User menu (profile picture).
- To switch back, select the home tenant from the list.
Switching back disconnects the Private Access tunnel from the resource tenant and connects the configured tunnels to the home tenant.
Frequently asked questions (FAQ)
Q: Are cross tenant signals like MFA and device compliance supported?
A: Yes, cross tenant signals work with the Global Secure Access guest access feature.
Q: What is the license requirement for the home tenant?
A: The home tenant doesn't need a Global Secure Access license. The feature requires at least a Microsoft Entra free tenant.
Q: Are both user types, Guest and Member, supported?
A: Yes. Cross Tenant Sync creates guest users as userType = Member by default, and this user type is supported.
Q: Does the device need to be registered to the resource tenant?
A: No, device registration isn't required on the resource tenant for guest access to work.
Q: Can I configure MFA on the resource tenant?
A: Yes, you can configure MFA on the user and on the applications.
Known limitations
- B2B guest access doesn't support keeping the Internet Access, Microsoft 365, and Microsoft Entra tunnels to the home tenant.
- Switching an account to the resource tenant fails when the resource tenant is configured for required MFA in the cross-tenant configuration and the home tenant is configured with passwordless sign-in (PSI) on the authenticator app.
- When Access Control is allowed on cross tenant settings for Global Secure Access, access isn't allowed because Global Secure Access controls these applications.
- When a user switches tenants, existing active application connections like Remote Desktop Protocol (RDP) remain connected to the previous tenant.
Enable B2B guest access for Azure Virtual Desktop and Windows 365
You can enable Global Secure Access on Windows 365 and Azure Virtual Desktop instances that support external identities to provide B2B guest access. With this capability, external users—such as guests, partners, and contractors—from other organizations can securely access resources in your tenant (the resource tenant). As a resource tenant administrator, you can configure Private Access, Internet Access, and Microsoft 365 traffic policies for these third-party users, helping ensure secure and controlled access to your organization's resources.
To enable B2B guest access for Windows 365 or Azure Virtual Desktop (AVD) virtual machines (VM) with Global Secure Access, follow these steps:
Configure your Windows 365 or Azure Virtual Desktop VM instance to use external ID linking. For more information, see Configure external ID linking.
Onboard your organization to Global Secure Access. For more information, see onboarding instructions.
Set up one or more Global Secure Access traffic forwarding profiles and assign them to users with external IDs. For more information, see Configure traffic forwarding profiles and Assign users to profiles.
Install and configure the Global Secure Access client on the virtual machines. For more information, see Installation guide for the Global Secure Access client.
Once configured, the Global Secure Access client automatically connects to the tenant associated with the VM instance by using the external ID.