Good news, more PaaS for DaaS! While we are all participants in the digital transformation, leveraging platform (PaaS) services is always something to first take into consideration over Infrastructure Services (IaaS). Azure File is a platform service as part of your Azure storage account and is now supported for ADDS in public preview.

“Our industry does not respect tradition. What it respects is innovation.”― Satya Nadella

In traditional virtual desktop infrastructure (VDI) deployments scenarios, it was/is still most likely that you build your own SMB file infrastructure to storage your roaming profiles and user-specific data on. This creates extra management and maintenance overhead, increases costs, and requires physical hardware expansions during upgrade to burst (CapEx) – non-flexible.

The Azure files (Storage-as-a) service on Azure is scalable on-demand, you just create your storage account, create a file share, setup the designated NTFS/ACLs and you are ready to use it – all based on the OpEx billing model. If you want more storage? Just expand the quota and you have more. Your billing model adjusts automatically. How this works in conjunction with Windows Virtual Desktop with FSLogix Profile Container and MSIX app attach is something you’ll learn in this article. Happy learning/reading!

Note: this article on Azure Files with Active Directory auth. applies to other services and applications, like MSIX app attach as well – that require an SMB share. It also does apply on partner solutions with Citrix, VMware, CloudJumper, and Nerdio with Windows Virtual Desktop on Azure.

When you’re done with this article – the following section should show up at the properties of your storage account.

Table of Contents

Click on the title to jump to that spot in this article:

Migrate to FSLogix Profile Container

To provide a good migration path between your existing profile delivery/management solution to FSLogix Profile Container, the WVD Engineering team has created a migration script that is currently available as a Private Preview. To gain access to the Private Preview, complete this registration form.

The migration script will allow you to perform mass conversions of user-profiles from various (specified) types to FSLogix based Profile Containers at scale.

Once you have the migration script, follow the steps below.

  • Place the FSLogixMigration Folder in a module directory,
  • import the module with the command – Import-Module FSLogixMigration
  • If the module is imported successfully you will see the welcome message.
  • At the time of import, a check will be done for the following modules: ActiveDirectory, Hyper-V, Pester

You can use the migration script for Roaming Profiles, UPD and UPM. Read more about it here in one of my other blogs.

Azure Files with AD – pre-requirements

  • Traditional AD environment synchronized to Azure AD with Azure AD Connect
  • Windows Virtual Desktops VMs need to be active in Active Directory
  • Account credentials to perform the steps below to create a computer account in an existing Active Directory environment to connect with Azure Files.
  • Make sure to deploy your storage account in one of the supported Azure regions.
  • Azure administrator/contributor / delegated rights to create the storage account

How to configure Azure Files for Active Directory (ADDS)

When you haven’t done this yet. Please create a storage account within your Azure subscription.

Enter your Azure subscription specific details and a lower-cased name for the storage account group.

Click on Review + Create

Note: Make sure to create a unique storage account name no longer than 15 characters. Kerberos has a hard limit of a maximum of 15 characters. The Azure Storage Hybrid module to make AD authentication work automatically creates a computer account based on your storage account name in your activate directory environment to provide the authentication. When the storage account name is longer than 15 characters – the process will fail in the creation of the computer account.

Note: The preview is currently available in almost every Azure datacenter region. See here what locations aren’t supported yet. They will be added soon.

Click on Create

Finished successfully…

Open the new storage account / Go to the resource

Go to File shares

Create the FSLogix Profiles share

Create the MSIX app attach share (optional)

Activate Azure Files – Active Directory authentication on your storage account

Download and unzip the AzFilesHybrid PowerShell module. Make sure to download the latest version.

Store the data somewhere you prefer e.g. C:\AzFilesHybrid.

Make sure that your current user execution policy is set UnrestrictedYes to All

Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Scope Currentuser

Change the path to the folder where you unzipped the module folder and run the .\CopyToPSPath.ps1 command.

Import the Azure Files Hybrid Module

Import-Module -name AzFilesHybrid

Connect to your Azure Subscription via PowerShell via command.

Note: This account needs to have at least owner rights on the storage account or contributor RBAC rights assigned with similar rights to perform the next tasks.

Connect-AzAccount

Now we need to select the subscription (name) for this current session

Select-AzSubscription -SubscriptionName "Azure Subscription Name"

Now the most important step starts. We are joining our Azure Files – storage account to our Active Directory (AD) environment.

Note: We need to run these commands from a computer/server that is part – joined to the Active Directory (AD) domain. It takes over the rights from the user that is logged which is running the PowerShell session so the user needs to have the domain administrator / delegated rights for that in place. It does not have to be a domain controller.

Note: The OU name is where the computer account to provide the LDAP connect is stored in. Make sure that the permissions on the OU level are correct. You can leave this empty – the computer account will then be created in the Rootdirectly under your domain (not the computers OU).

join-AzStorageaccountForAuth -ResourceGroupName "<resource-group-name>" -Name "<storage-account-name>" -DomainAccountType "ComputerAccount" -OrganizationalUnitName "<OU-DN-Path>"

When the string ran successfully – you will see the following computer account – named as your Azure storage account – created in your Active Directory (AD) environment.

Verify if Active Directory is enabled

Go back to the Azure Portal and open the – Configuration menu – of your storage account.

Verify if Active Directory is enabled with your local domain name. See the below example.

Configure IAM Object permissions – via the Azure Portal

Now we need to assign one of the built-in rights models to the specific file share to give users access to the Azure Files SMB share. There are three specific roles already available that we can use.

After we did these IAM steps – we can take over SMB share authentication on the NTFS level (with the elevated Contributor role) to make the folder rights more security and organization-specific.

  • Storage File Data SMB Share Contributor
  • Storage File Data SMB Share Elevated Contributor (NTFS configurations)

You can assign the user or AD group object rights via the IAM configuration menu of your storage account in the Azure Portal.

Note: Make one of your (data) administrators part of the Storage File Data SMB Share Elevated Contributor assignment. That gives you the extra privilege to configure (initially) the NTFS rights on the share.

Configure IAM Object permissions – via PowerShell

For sake of Automation with PowerShell we first have to create a couple of variables. The first one is to define the IAM role under $FileShareContributorRole.

$FileShareContributorRole = Get-AzRoleDefinition "Storage File Data SMB Share Contributor"

In the $scope variable we collect the File Service resource ID of the Azure Files Share location. You can find the path at the properties menu of your storage account. You only need to add the specific file share root folder manually after default (e.g. /fileshares/fslogixprofiles). See the example below.

Note: Make one of your (data) administrators part of the Storage File Data SMB Share Elevated Contributor assignment. That gives you the extra privilege to configure (initially) the NTFS rights on the share.

$scope = "/subscriptions/<AzureSubscriptionID>/resourceGroups/WVD-RG/providers/Microsoft.Storage/storage accounts/fslogixwvdfr/fileServices/default/fileshares/fslogixprofiles"

$scope1 = "/subscriptions/<AzureSubscriptionID>/resourceGroups/WVD-RG/providers/Microsoft.Storage/storage accounts/fslogixwvdfr/fileServices/default/fileshares/msixappattach"

Perform the following command to Assign the specific IAM roles to the user.

New-AzRoleAssignment -SignInName username@domain.com -RoleDefinitionName $FileShareContributorRole.Name -Scope $scope

New-AzRoleAssignment -SignInName username@domain.com -RoleDefinitionName $FileShareContributorRole.Name -Scope $scope1

To specify an AD security group for multiple users, use the Azure AD ObjectId parameter instead. First request the AD Group ID.

Get-AzADGroup -SearchString "AD Group Name"

Change the PowerShell command to the following example.

New-AzRoleAssignment -ObjectId 2f9d4375-cbf1-48e8-83c9-2a0be4cb33fb -RoleDefinitionName $FileShareContributorRole.Name -Scope $scope1

Verify access your Azure Files SMB Share

When we performed all the above steps correctly, we now can test if the share we created it accessible via our Windows Virtual Desktop environment and eventually configure FSLogix Profile Container.

Find the Azure Files Share UNC path at the storage account configuration menu.

Logon as one of the (that you gave the rights to) user accounts – or a group member – to a domain-joined virtual machine. Try to access the Azure Files share, you have to add the folder to the location, such as \\fslogixwvddemo.file.core.windows.net\fslogixprofiles. It works!

Configure NTFS rights on the Azure Files Share

You can start configuring all the NTFS rights that are recommended for the use of FSLogix Profile Container. See below the rights that are recommended to use for FSLogix. Read more about it here.

FSLogix Profile Container configuration

Download the FSLogix agent and install it in your Windows Virtual Desktop image – virtual machine. FSLogix is available for download here

Install the FSLogixAppsSetup agent in the image

Wait for the installation to be finished…

The configuration part of FSLogix Profile Container can be performed in either registry settings or group policy files. The most simple and effective method is using the registry settings below.

Open regedit.exe and browse to “HKEY_LOCAL_MACHINE\Software\FSLogix\Profiles”

Create a REG_SZ value name “VHDLocations” and enter new Azure Files network file share path (e.g. \\fslogixwvddemo.file.core.windows.net\fslogixprofiles)

Create a DWORD value name “Enabled” and give it value 1.

Create a DWORD value name “DeleteLocalProfileWhenVHDShouldApply” and give it value 1. The one deletes existing local profiles before logon – this avoids errors.

Tip: The most important settings for the usage of FSLogix Profile Container are the Enabled and VHDLocations registry setting. There are some other settings that I default recommend to enable.

The VolumeTypesetting changes to disk type to VHDX. You can provide more maintenance tasks via PowerShell with VHDx so I advise changing that from default VHD to VHDx.

See here all the other advanced registry settings for FSLogix Profile Container.

Logon as a specific user and check if the Profile Container is being created on the Azure Files share. See the example below.

Or open the DiskManagement Console on your Windows Virtual Desktop – Windows 10 single – or multi-session virtual machine and see if it directly from there. All set!

MSIX app attach (preview) configuration

MSIX app attach is currently in public preview.

To configure MSIX app attach for Azure Files in the current public preview stage is fairly easy. In the staging script to mount the MSIX application container – the <path to vhd> value needs to be updated to the Azure Files SMB share location. See the example below for application Notepad ++.

#MSIX app attach staging sample
#region variables

$vhdSrc="\\fslogixwvddemo.file.core.windows.net\msixappattach\notepadplusplus.vhd"
$packageName = "<package name>"
$parentFolder = "<package parent folder>"
$parentFolder = "\" + $parentFolder + "\"
$volumeGuid = "<vol guid>"
$msixJunction = "C:\temp\AppAttach\"

#endregion
#region mountvhd

Make sure that all the MSIX app attach Containers are stored in the designated Azure Files share location as for example below.

Read more about how to use MSIX app attach here.

End-user– experience video

The following video shows how FSLogix and MSIX app attach is working on Windows Virtual Desktop while using Azure Files and Active Directory as an underlying solution.