Table of Contents
Links to Additional Information
Abstract
In this article, you will learn how to integrate Azure Virtual Desktop (AVD) session hosts that are joined to Azure AD with Azure NetApp Files (ANF). It will show you the reference architecture required to support this integration and demonstrate how users, logging in to AVD session hosts that are Azure AD joined, can access ANF seamlessly.
Co-authors: Anthony Mashford, Jose Manuel Gomez, Cloud Solutions Architects
Introduction
As businesses increasingly embrace remote work and cloud-based solutions, Azure Virtual Desktop (AVD) has emerged as a powerful platform for enabling secure and scalable virtual desktop experiences. To further enhance its capabilities, organizations can leverage Azure AD join, Azure NetApp Files, and FSLogix in conjunction with AVD session hosts. This powerful combination not only provides streamlined user management and authentication but also delivers high-performance storage and efficient profile management. This article will explore how customers can utilize AVD session hosts that are Azure AD joined with Azure NetApp Files and FSLogix, highlighting the benefits and advantages they offer.
- Simplified User Management and Authentication:
By deploying Azure AD-joined AVD session hosts, organizations can centralize user management and authentication processes. Azure AD provides a robust identity and access management solution that seamlessly integrates with AVD, allowing users to log in using their Azure AD credentials. This integration simplifies user provisioning, improves security through multi-factor authentication, and enables centralized access controls, making it easier to manage user accounts and permissions across the organization. - High-Performance, Secure, Scalable Storage with Azure NetApp Files:
Azure NetApp Files is a highly available Microsoft first-party file storage service that offers scalable, high-performance, low-latency storage solutions for AVD environments. By leveraging Azure NetApp Files as the underlying storage for AVD session hosts, organizations can ensure optimal performance and responsiveness, even for the most demanding workloads. The scalability and elasticity of Azure NetApp Files enable businesses to adjust storage resources dynamically, accommodating changing user demands without compromising performance.
As businesses increasingly move their services into Azure, data protection and recovery have become paramount. For instance, Azure NetApp Files offers a built-in backup solution, which significantly lowers operational costs and provides robust functionality for recovery.
Features such as snapshot and snapshot integration with previous versions allow for user self-service data recovery. In case of a ransomware attack, the system can easily be restored with snapshot revert, minimizing downtime and potential data loss. To ensure business continuity during unforeseen circumstances, cross-region replication (CRR) is leveraged for disaster recovery.
Security is paramount; hence, Azure NetApp Files also provides enhanced security with customer-managed keys, and Access Based Enumeration, further fortifying the data protection strategy.
User and group quotas can be implemented to manage storage consumption and cost efficiently.
Moreover, the practice of maintaining SMB Continuously Available (CA) shares is highly recommended, to guarantee seamless access to resources. The Azure NetApp Files solution integrates well with FSLogix Profile Container for Azure Virtual Desktop, creating a robust and resilient system that promotes effective data management and protection. - Efficient Profile Management with FSLogix:
Profile management is a critical aspect of virtual desktop environments, as it affects user experience and productivity. FSLogix, now integrated with Windows and Windows Server, provides advanced profile management capabilities, including the ability to virtualize user profiles and reduce logon times significantly. By combining FSLogix with AVD session hosts, organizations can deliver personalized desktop experiences to users while reducing the complexity associated with traditional profile management solutions. FSLogix achieves this by using a containerized approach, dynamically provisioning user profiles on-demand and streamlining profile access, resulting in faster logons and efficient resource utilization. - Enhanced Security and Compliance:
Utilizing Azure AD join, Azure NetApp Files, and FSLogix with AVD session hosts reinforces security and compliance measures. Azure AD join enables seamless integration with Azure AD's robust security features, including conditional access policies and identity protection, ensuring that only authorized users can access the virtual desktops. Azure NetApp Files provides enterprise-level security features, such as data-at-rest and data-in-transit encryption, helping organizations meet compliance requirements and protect sensitive data. Furthermore, FSLogix' profile containerization enhances data security by isolating user profiles from the underlying infrastructure, preventing unauthorized access and protecting against profile corruption. - Scalability and Cost-Effectiveness:
The combination of AVD session hosts with Azure AD join, Azure NetApp Files, and FSLogix offers organizations scalability and cost-effectiveness. Azure AD join simplifies user management and enables rapid deployment of AVD session hosts, allowing businesses to scale their virtual desktop environments quickly. Azure NetApp Files provides elastic storage resources that can be easily scaled up or down, optimizing costs based on actual usage. FSLogix’ efficient profile management further reduces storage requirements by eliminating redundant data, contributing to cost savings and overall infrastructure efficiency.
Scenario
This scenario will demonstrate how organizations that require the AVD session hosts to be Azure AD joined, can leverage ANF to host user profiles, home folders and departmental shares. It is important to note that this scenario still requires Active Directory Domain Services (ADDS) to be available within the infrastructure as ANF requires Active Directory Domain Services (ADDS) or Azure Active Directory Domain Services (AADDS) for authentication.
The observant amongst you will notice that this scenario does not solely use Azure AD, and still requires Active Directory Domain Services. The majority of customers will still have an Active Directory presence. However, those organizations that are looking to future proof AVD deployments and benefit from the management capability of Microsoft Intune can have the best of both worlds with this Hybrid approach.
(i) Important
Using Azure AD for authenticating hybrid user identities allows Azure AD users to access Azure NetApp Files SMB shares. This means your end users can access Azure NetApp Files SMB shares without requiring a line-of-sight to domain controllers from hybrid Azure AD-joined and Azure AD-joined VMs. Cloud-only identities aren't currently supported. |
The diagram below shows a high-level overview of the scenario:
Requirements
The following requirements need to be met to allow for this Hybrid configuration.
- An Azure subscription,
- Azure networking infrastructure to support the deployment,
- DNS configured within the VNet for name resolution of Active Directory Domain Services,
- Active Directory Domain Services Installed and accessible to the ANF service,
- AD Connect installed and identities synchronized to Azure AD,
- ANF account, capacity pool and volume(s),
- AVD host pool, application group and workspace configured,
- AVD session host.
(i) Important
More information on how to install and configure Azure AD Connect can be found here. |
Configuration
The configuration for this scenario would be as follows:
- Two ANF volumes, one for user profiles and one for user home folders:
- A host pool created with the directory join option set to Azure Active Directory:
- The RDP properties for the host pool configured to allow users to login via Azure AD:
- An AVD session host created in the host pool:
By running the command below you can see this session host is Azure AD joined:
- FSLogix application installed on the session host with the .ADMX and .ADML files copied to the Local Policy definitions folder C:\Windows\PolicyDefinitions.
- The Local Group Policy configured to use the ANF volume to host the user profiles:
With this configuration in place, once the user logins in via Azure AD, their user profile is stored on the ANF volume:
Within the user profile directory, you can see the FSLogix managed .VHD file and meta data:
Using the same credentials, the user can also map their home folder which is also hosted on an ANF volume:
The process is seamless to the user with no prompt for authentication.
Summary
The integration of Azure AD join, Azure NetApp Files, and FSLogix with AVD session hosts brings numerous benefits to organizations seeking robust virtual desktop solutions. By streamlining user management and authentication, providing high-performance storage, efficient profile management, and bolstering security measures, this combination empowers businesses to deliver seamless, productive, and secure virtual desktop experiences. Embracing these technologies ensures organizations can optimize their AVD environments for enhanced performance, scalability, and cost-effectiveness, driving productivity and empowering the modern remote workforce.
For more information also see Azure NetApp Files | Access SMB volumes from Azure Active Directory joined Windows virtual machines.
Links to Additional Information
- https://learn.microsoft.com/azure/virtual-desktop/overview
- https://learn.microsoft.com/azure/active-directory/devices/concept-azure-ad-join
- https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-introduction
- https://learn.microsoft.com/fslogix/overview-what-is-fslogix
- https://learn.microsoft.com/azure/azure-netapp-files/access-smb-volume-from-windows-client
- https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-solution-architectures#windows-virtual-desktop