Forum Discussion
Assigning permissions when using Azure Files for FSLogix Profiles in WVD
You have me a confused with this line:
"But at the VM/domain level, you can only assign permissions to objects with an email address. Microsoft 365 groups have an e-mail address, but Security groups in Azure do not."
How exactly are you going about this?
When you create a Security Group on AzureAD; it will get synced to the AADDS domain. In order to set the permissions on the NTFS level you are supposed to log on to a domain-joined VM, map the File Share using the Access Key and then you set the NTFS permissions directly via Windows Explorer. You should be able to use that Synced Security Group. The user you are using to do this should have SMB Elevated Contributor on that file-share as well
- David SchragMar 11, 2021Iron Contributor
YannickJanssens1986 First you map the file share, as you describe, with a command like this:
net use <desired-drive-letter>: \\<storage-account-name>.file.core.windows.net\<share-name> /user:Azure\<storage-account-name> <storage-account-key>
But then you assign permissions to the drive you just mapped:
icacls <mounted-drive-letter>: /grant <user-email>:(M)
icacls <mounted-drive-letter>: /grant "Creator Owner":(OI)(CI)(IO)(M)
icacls <mounted-drive-letter>: /remove "Authenticated Users"
icacls <mounted-drive-letter>: /remove "Builtin\Users"The instructions say:
- Replace <user-email> with the UPN of the user or Active Directory group that contains the users that will require access to the share.
What is the UPN of an Active Directory group in AADDS that has been synced from a Security Group in Azure AD? Is it simply the group name? I called my group "WVD Users" and couldn't figure out the right syntax. Just now I had the bright idea to put the group name in quotes, and perhaps it worked this time:
C:\Users\wvdjoinaccount>icacls F: /grant "WVD Users":(M)
processed file: F:
Successfully processed 1 files; Failed processing 0 filesI didn't know about the requirement for the account running these commands to have the SMB Share Elevated Contributor role. Where did you see that?
- YannickJanssens1986Mar 11, 2021Brass ContributorI think the MSFT instuctions confused you a little bit by mentioning the user-email thing. The command you used seems fine. You can also browse via the explorer to the mapped disk and right-click Properties/Securty in order to set permissions that way. May work a little easier.
Disregard what I said about the SMB Elevated Contributor Permissions. When you Map via the Access key you get permissions to set NTFS in a different way.- David SchragMar 18, 2021Iron Contributor
YannickJanssens1986 My FSLogix profiles still aren't working right. I am seeing event log errors during login that indicated access rights problems connecting to the FSLogix share. So I tried to review and modify the permissions by mapping a drive through file explorer while logged in as an AADDS domain admin. I can view the permissions but I can't modify them. I get "Failed to enumerate objects in the container." The owner of the mapped drive is shown as SYSTEM. I tried to take ownership, but got the same "failed to enumerate" error. So maybe once the share's permissions are set using the access key they can no longer be modified by a user account through the GUI?
In any case, I'm not sure what the permissions for standard users are supposed to look like. Apart from some duplication of users and groups here, is this right, particularly with respect to the "applies to" column?
Perhaps I should start over with a new share and set the permissions with the GUI instead of the command line, but I don't have guidance for doing it that way.