Windows 365 and the External Identity preview – using a guest account to access Cloud PCs

[anyweb]

Introduction

Ever wished you could spin up a Cloud PC not just for your employees, but for contractors, partners, or even external collaborators? Good news—External Identity (preview) support in Entra ID now makes that possible. You can invite external users into your tenant and give them access to Cloud PCs, extending the same secure, managed experience your internal users already enjoy.

Of course, there are a few strings attached. Prior to deploying out Cloud PCs to outside identities, you will need to be aware of a number of significant requirements and limitations so that everything runs smoothly.

In this blog post, myself and my good friend Paul Winstanley took a look at what you need to be aware of and how to set up and access.

Requirements

• The Cloud PC must be running Windows 11 Enterprise with the 2025-09 Cumulative Updates for Windows 11, version 24H2 (KB5065789) or later installed.
• The Cloud PC must be Entra only joined, hybrid is not supported.
• Single-sign on must be enabled in the provisioning policy.
• Connection to the Cloud PC must be via the Windows App or browser.

Limitations

• User based Intune device configurations profiles will not be applied to the external users Cloud PC. Ensure you target the profiles to devices.
• Windows 365 Enterprise, Business, and Frontline are supported, Windows 365 Government is not.
• Cross-cloud users are not supported, i.e. you can’t invite users from Microsoft Azure Government or Microsoft Azure operated by 21Vianet.
• Be aware of the token limitations for external identities – https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-token-protection#known-limitations
• Authentication to on-premises resources with Kerberos or NTLM is not supported for external identities.

Assigning the Windows 365 licence

Assigning the licence should be a simple case of heading over to the Microsoft 365 admin center, navigating to Billing | Licenses and selecting the required Windows 365 subscription.

When selected, we clicked Assign licenses and chose the guest user, in our case Niall’s guest account in Paul’s tenant. When finished we clicked Assign licenses.

In our tenant, we received the following error message ‘Failed to assign license for Niall Brady: Cannot process request because a referenced item has an invalid usage location.’ You may not receive this error and not have to perform the fix.

To fix this up for us, we went to the Entra admin center and clicked on Users. We located Niall’s guest account and clicked Edit properties.

Under the Settings menu, we clicked the Usage location drop-down and selected a location for his account, then clicked Save.

After a short period of time, we were able to assign a licence to Niall’s account with no issue.

Provisioning the Cloud PC for the External Identity

Back in the Intune admin center, under Devices | Device onboarding | Windows 365 | All Cloud PCs there should be a Not provisioned Cloud PC. It reports as Not provisioned as the user has not been assigned a provisioning policy.

To resolve this we can either create a provisioning policy and assign this or we can use an existing policy, so long as we have single sign-on enabled and that the Cloud PC is running with 2025-09 Cumulative Updates for Windows 11, version 24H2 (KB5065789) or later. If using an existing policy, take a look at the assignment to ensure that Niall’s account is targeted.

We decided to create a new provisioning policy using the new 25H2 release of Windows 11. We navigated to Devices | Device onboarding | Windows 365 | Provisioning policies in our tenant and clicked Create policy.

As mentioned, ensure Use Microsoft Entra single sign-on is enabled and Microsoft Entra Join is selected for Join type as hybrid is not supported.

We selected the Windows 11 Enterprise + Microsoft 365 Apps 25H2 gallery image to ensure that we met the O/S requirements.

When assigning the policy, we targeted a group called Windows 365 External Identities.

After completing the provisioning policy wizard, the policy was visible.

Next, we simply added Niall’s guest account to the Windows 365 External Identities group. We navigated to Groups and searched for the group and added his account.

Back in All Cloud PCs, a Cloud PC now reported a Status of Provisioning.

After a period of time, the Cloud PC reported as Provisioned.

Accessing the Cloud PC

The Cloud PC can be accessed via the Windows App or web browser, however prior to attempting to access the following registry key needs to be created on the host device.

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsApp\Flights

DWORD - EnableIdSignInUx

Value - 0

There are slight variations to accessing via the app or the browser so let’s take a look at both. Also, thanks to our MVP friend Sune Thomsen for providing the details that steered us in the right direction to make this work!

Windows App

The user must be authenticated in the Windows App. They need to click their account profile picture on the top right of the application and click Sign in with another account.

If the registry key has been entered, then the following Sign in window will be displayed. Note Sign-in options is available. This would not be displayed if the registry key is not present. Click Sign-in options.

The next step is to click the Sign in to an organization option.

and enter the domain of the organization hosting the Windows 365 Cloud PC. In our case, sccmsolutions.co.uk.

Now, the guest account must authenticate in the tenant using their account credentials, and respond to any multi-factor authentication or other prompts.

When authentication is complete, the user will be presented with their Cloud PC in the Windows app.

The user is able to switch between organizations by clicking their account profile and selecting accordingly.

Web Browser

When navigating to windows365.microsoft.com, the user will authenticate with their account. Then in the top right hand corner of the web page, the user clicks their profile and then chooses Sign in with another account.

Now, choose Use another account.

The user will then have the Sign-in options available to select (if the reg key is present on the device).

After selecting Sign-in options, choose Sign in to an organization.

As with the Windows App, they enter the domain name of the organization hosting the Windows 365 Cloud PC.

and authenticate with their user account.

Finally, the user will be presented with the provisioned Cloud PC in the web browser.

Using either Windows App or the web browser to log on to the Cloud PC, will allow the guest account access to the device, where previously they would have had to have had an account created in that tenant for them to have a Cloud PC assigned.

As we can see, Niall’s account is accessing CPC-niall-ZMTAD in the sccmsolutions tenant.

This is a hotly awaited addition to Windows 365 Cloud PC features. We look forward to using this feature with our customers. We hope that the registry key requirement is soon removed and is added as part of the installation of the Windows App, as this will help reduce steps required for onboarding for guest accounts.

See you next time.