Microsoft quietly shipped a landmark capability in May 2026: FSLogix profile containers for cloud-only and external identities in Azure Virtual Desktop are now generally available. What was in public preview since November 2025 has crossed the finish line — and for organizations still running on-premises domain controllers primarily to support AVD, this is the announcement that changes the calculus.

This is not an incremental update. For a significant slice of enterprise AVD environments, FSLogix GA for Entra-only identities is the final piece of the cloud-native puzzle.

What Changed

The May 2026 What’s New page for Azure Virtual Desktop now carries this entry:

FSLogix support for cloud-only and external identities is now generally available

You can now provide FSLogix profile containers for both cloud-only and external identities. With this functionality, you can provide the same user experience on a pooled host pool that you already can for hybrid users.

This capability is already built-in to existing versions of FSLogix.

The “already built-in to existing versions” note is deliberate. There is no new FSLogix agent to install. If you are running a reasonably current FSLogix build, the GA capability is already on your session hosts — what changes is the support status and the removal of the “preview” asterisk from production deployments.

Why This Is a Bigger Deal Than It Looks

The Last Dependency on Active Directory

For years, running pooled AVD host pools with roaming profiles required a domain controller. Not because of AVD itself — Microsoft Entra joined session hosts have been supported for a long time — but because FSLogix profile containers required Active Directory Domain Services (AD DS) or Azure Active Directory Domain Services (AADDS) for Kerberos authentication to Azure Files shares.

Cloud-only users, despite having perfectly valid Entra ID accounts, could not use FSLogix on pooled pools without either a domain controller or accepting a significantly degraded profile experience.

That dependency is now gone.

With Entra Kerberos authentication on Azure Files reaching stable production support, FSLogix can now authenticate cloud-only users to Azure Files shares using their Entra ID identity alone — no domain controller required. The profile container experience is identical to what hybrid AD users have had since day one.

External Identities Finally Get Persistent Profiles

Before this release, B2B guest users accessing AVD faced a second-class experience. Without FSLogix support, external identities received temporary profiles that evaporated at session end — no persistent settings, no cached credentials, no consistent application state.

For organizations using AVD to provide workspaces to contractors, partners, or managed service providers, this was a significant limitation that often forced one of two workarounds: create internal “shadow” accounts for external workers, or accept the inconsistent profile experience.

Both workarounds are now unnecessary. External B2B identities can receive FSLogix-backed persistent profiles on the same pooled host pools as internal users.

Scenarios This Unlocks

The GA announcement opens several deployment patterns that were previously blocked or required uncomfortable compromises:

Fully Entra-only organizations — Startups, cloud-native companies, and organizations that have never deployed AD DS can now build complete AVD environments with pooled host pools and persistent FSLogix profiles without standing up a domain controller.

Domain controller retirement — For organizations running AD DS infrastructure primarily to support FSLogix/AVD, this announcement may accelerate the timeline for DC retirement. If FSLogix and hybrid join were the last two reasons your domain controllers existed, the first reason is now resolved.

B2B and contractor workspaces — Managed service providers, professional services firms, and any organization with significant contractor or partner populations can now offer persistent AVD workspaces to external identities through a supported, production-grade mechanism.

Government and regulated environments — Organizations in sectors where on-premises infrastructure introduces compliance or data sovereignty complexity can now remove that dependency while maintaining full profile persistence for pooled sessions.

Multi-tenant architectures — Organizations managing multiple Entra tenants can create clean per-tenant host pool configurations without cross-tenant identity federation complexity.

Configuration Requirements

For organizations ready to deploy, here is what the Entra-only FSLogix architecture requires:

Azure Files with Entra Kerberos

  • Configure the storage account with an Entra-only identity source (not AD DS / AADDS)
  • Enable Entra Kerberos on the storage account
  • Assign the Storage File Data SMB Share Contributor RBAC role to the users who need profile access
  • Set directory-level SMB ACLs from an Entra-joined client
  • Grant admin consent on the storage account app registration

Critical: You must exclude the Azure Files storage account application from any Conditional Access policies that require MFA. This is the most common misconfiguration that causes FSLogix container mount failures in Entra-only deployments — and the failures surface as opaque errors that look like storage or network problems.

Session Hosts

  • Must be Microsoft Entra joined (not hybrid-joined, not AD DS-joined)
  • Windows 11 22H2 or later recommended; Windows 10 21H2 minimum
  • For external identity support: Windows 11 with recent cumulative updates

FSLogix Configuration

  • No new FSLogix version is required — GA capability is built into current releases
  • Configure VHDLocations or CCDLocations pointing to the Azure Files UNC path
  • Entra Kerberos ticket retrieval is handled automatically on Entra-joined hosts
  • Verify FSLogix is current — FSLogix 26.01 CU1 (February 2026) is the latest critical update

What Organizations Should Do Now

1. Audit Your Identity Landscape

Map cloud-only users, B2B guest accounts, and contractor identities in your Entra tenant. Identify which of these currently access AVD without persistent profiles — they are the immediate beneficiaries of this GA announcement.

2. Review Conditional Access Policies

Before deploying, audit every Conditional Access policy that applies to Azure Files storage accounts. Confirm that MFA-requiring policies exclude the storage account app. Document this exclusion and ensure it is captured in your CA policy inventory.

3. Pilot in a Non-Production Host Pool

Create a pilot host pool with Entra-joined session hosts, configure Azure Files with Entra Kerberos, and run a representative group of cloud-only users through a complete session lifecycle. Confirm profile persistence across sessions and disconnections.

4. Assess Domain Controller Retirement Readiness

If your AD DS infrastructure exists primarily for FSLogix or hybrid join, conduct a formal dependency analysis. FSLogix GA removes one of the two most common blockers. For hybrid join, Entra-joined alternatives in AVD are mature and production-ready. This may be the year the domain controller goes dark.

5. Update Your IaC Templates

If you manage AVD environments through Bicep, Terraform, or Azure DevOps pipelines, incorporate Entra-only FSLogix configuration into your landing zone templates. Standardizing the pattern now prevents divergent configurations as more teams onboard.

6. Update FSLogix on All Session Hosts

Ensure you are running a current FSLogix build across all host pools. The GA capability is present in recent releases, but older builds may not include stability fixes and known issue resolutions relevant to Entra Kerberos scenarios.

What Has NOT Changed

Hybrid AD FSLogix remains fully supported. Organizations on hybrid identity models are not required to migrate to Entra-only storage. Hybrid AD FSLogix continues to function as it always has and remains the right choice for environments with legacy AD dependencies.

External identity licensing requirements are unchanged — external users must hold appropriate licenses in the resource tenant regardless of what licenses they hold in their home tenant. Confirm your licensing model before provisioning external identity workspaces at scale.

FSLogix for personal host pools is unaffected — this change primarily impacts pooled host pools where profile roaming is essential.

Entra ID Protection, Conditional Access, and governance policies for your Azure Files storage accounts are your responsibility. FSLogix GA does not change the security posture requirements — it extends the deployment model to new identity types.

The Bigger Picture

Microsoft’s identity strategy for cloud desktop has been on a clear trajectory for several years: eliminate the on-premises infrastructure dependencies that historically complicated cloud adoption, while maintaining feature parity for organizations that cannot yet depart from hybrid models.

The FSLogix GA announcement is the culmination of a multi-year engineering investment:

  • 2022 — FSLogix profile containers for Entra-joined VMs (public preview)
  • 2023–2024 — Azure Files Entra Kerberos matures; cloud-only FSLogix scenarios move from workaround to supported pattern
  • November 2025 — FSLogix for cloud-only and external identities enters public preview
  • May 2026General Availability

Combined with the other May 2026 announcements — AVD for hybrid environments via Arc-Enabled Servers (public preview) and the ongoing GA rollout of RDP Multipath with redundant TCP — the picture emerges clearly: Microsoft is building an AVD platform that works everywhere, with any identity type, over any network, whether your infrastructure is in Azure, on-premises, or both.

For IT decision-makers evaluating AVD as the long-term workforce platform, the 2026 releases collectively answer most of the remaining objections. The identity dependencies are gone. The connectivity reliability is enterprise-grade. The infrastructure flexibility now spans bare metal to cloud.

The question is no longer whether AVD can handle your use case. It is when you start the migration.

Need Help Navigating Azure Virtual Desktop Changes? Big Hat Group helps organizations design, deploy, and manage AVD environments — including Entra-only identity architecture, FSLogix configuration, and domain controller retirement planning. Contact us to assess your readiness for cloud-native AVD or to plan your next deployment phase.

Big Hat Group is a Microsoft partner specializing in Azure Virtual Desktop, modern endpoint management, and Microsoft 365 deployments.