Managing external identities to enable secure access for partners, customers, and other non-employees
Hello Paramesh Kumar Bada,
Greetings! Thanks for raising this question in Q&A forum.
The most likely reason is that accessing partner-hosted VMs securely across networks requires centralized identity (SSO) and proper role-based access, otherwise users end up managing separate credentials or facing access issues.
To securely access partner VMs using SSO and avoid multiple passwords, you can follow these steps:
Use Microsoft Entra ID for authentication
- Enable Entra-based login on the partner VMs
- This allows users to sign in using their corporate identity instead of local VM accounts
Configure the correct RBAC roles
- Assign users one of the required roles on each VM:
- Virtual Machine User Login
- Virtual Machine Administrator Login
- Without these roles, users cannot log in even if SSO is configured
Use Azure Bastion (recommended)
- Access VMs directly from the Azure portal without exposing public IPs
- This improves security and simplifies access from corporate networks
Set up Conditional Access policies
- Enforce MFA and compliance checks centrally
- Ensure policies don’t block VM sign-in flows unintentionally
Validate partner access model
- If VMs are in partner tenants, ensure proper B2B collaboration / external user setup
- The partner must grant your users access in their tenant
Troubleshoot if access still fails
- Check NSG rules and network connectivity
- Confirm VM extension for Entra login is installed
- Verify user role assignment and tenant permissions
If your organization is trying to standardize access across multiple partner environments, the correct approach is to rely on Entra identity + RBAC + secure access methods like Bastion, instead of managing local passwords.
If this answer helps you kindly accept the answer which will help others who have similar questions
Best Regards,
Jerald Felix.