FSLogix profile container using Azure Files and domain controller step by step

This guide walks an IT administrator through the steps needed to configure an existing Windows Virtual Desktop (WVD) hostpool with profiles stored on an Azure Files storage account. Authentication will be via a domain controller (aka native AD).

The diagram below represents the environment we are starting with:

• Azure subscription tied to Azure AD
• Virtual machine acting as active directory with Azure AD connector synching to Azure AD
• WVD hostpool
• Storage Account (this guide starts with setting up this storage account (SA))

The full guide for setting up Active Directory (AD) authentication over SMB for Azure file shares (AFS) is available here.

Prerequisites

Global administrator on Azure AD is required to be able to assign RBAC permission. Contributors cannot assign permission to other users, as outline here.

Account with Owner permissions on the Azure subscription.

Account that is part of Active Directory (AD). This account needs to be able to sing into VM that is joined to the domain and have permission to create new accounts.

Note: Please note all prerequisites must be met.

There are certain policies that may block creating and using the account that represents the storage account (for example, if maximum password length is set to less than 80 characters the AD will not accept the new account). Such policies need to be disabled for the OU where the AD account representing the storage account is to be created.

Selecting Azure Files tier

Prior to creating a storage account Azure Files tier must be selected. Azure Files offers two different tiers of storage, premium and standard, to allow you to tailor your shares to the performance and price requirements of your scenario:

• Premium file shares: Premium file shares are backed by solid-state drives (SSDs) and are deployed in the FileStorage storage account type. Premium file shares provide consistent high performance and low latency, within single-digit milliseconds for most IO operations, for IO-intensive workloads.
• Standard file shares: Standard file shares are backed by hard disk drives (HDDs) and are deployed in the general-purpose version 2 (GPv2) storage account type. Standard file shares provide reliable performance for IO workloads that are less sensitive to performance variability such as general-purpose file shares and dev/test environments. Standard file shares are only available in a pay-as-you-go billing model.

Depends on the target performance, cost, and regional considerations, you can select the most appropriate performance tier for storing the user profile data. We have included our recommendation based on the performance of the typical remote desktop workloads types.

You can leverage the guidance above and further optimize for your WVD scenario. Detailed information of Azure Files on performance targets (Standard, Premium) and pricing is available to help you further fine tune the file share solution.

Setup storage account

1. Sign into Azure portal
2. In the search box enter Storage account
3. Click +Add and in the Create storage account enter
   1. Create a new resource group
   2. Enter unique storage account name
   3. Location, must be the same location as the WVD Hostpool
   4. Performance standard (as this is a test deployment with less than 200 users)
   5. Account kind – StorageV2
   6. Replication – Read-access geo-redundant (RA-GRS)
4. Click Review + create and the Create once validation has passed

    

Create an Azure file share

1. Once the storage account is deployed, click Go to resource
2. On the Overview screen click File shares
3. Click +File shares and create a new named profile
4. Enter Quota of 30 GB
5. Click Create

Enable AD authentication for your SA

These steps need to be ran from a machine that is already domain joined. In our environment this will be done from the VM running the domain controller.

13. RDP into the domain controller VM
14. Download the AzFilesHybrid module from here
15. Unzip to a local folder
16. Open PowerShell and navigate to the folder from step #3
17. (optional) Set execution policy to Unrestricted via

Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Scope CurrentUser

6. Install NuGet via

Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force

7. Import the downloaded PS module AzFilesHybrid

Import-Module -Name .\AzFilesHybrid.psd1

8. Connect to our Azure via PowerShell

Connect-AzAccount

9. Sign in when prompted
10. (optional) If there are multiple Azure subscription select the correct one via

Select-AzSubscription -SubscriptionId <subscription name>

11. Connect the SA with active directory via command below. Replace <rg-name> and <sa-name> with values from section Setup storage account.

Important: the below command supports capability for adding new account to an organization unit via the switches -OrganizationalUnitName and -OrganizationalUnitDistinguishedName. For more details, please visit.

Join-AzStorageAccountForAuth -ResourceGroupName "<rg-name>" `
     -Name "<sa-name>" `
     -DomainAccountType "ComputerAccount" `
     -OrganizationalUnitDistinguishedName "<ou-distinguishedname-here>"

12. Verify the setup is correct

# Grab the storage account info (creates an array)
# $storageaccount = Get-AzStorageAccount `
#    -ResourceGroupName "<resource-group-name>" `
#    -Name "<storage-account-name>"
$storageaccount = Get-AzStorageAccount -ResourceGroupName <RG> -Name <storageacct>

# Verify - List the directory service of the selected service account
$storageAccount.AzureFilesIdentityBasedAuth.DirectoryServiceOptions

# Verify - List the directory domain information if the storage account has enabled AD authentication for file shares
$storageAccount.AzureFilesIdentityBasedAuth.ActiveDirectoryProperties

13. Navigate to the Azure portal open the storage account that was created, click on Configuration and confirm Azure Directory (AD) is enabled

Assign Azure RBAC permission to storage account

At least one user, likely and administrator will need to be assigned Storage File Data SMB Elevated Contributor. The administrator will be used to assign NTFS permissions on the files share.

For all users that need to have FSLogix profiles stored on the SA assign Storage File Data SMB Share Contributor. It is a best practice to create an AD group for all users that need to have FSLogix profiles.

To assign RBAC permissions:

1. Navigate to the Azure portal
2. Open the storage account created in the Setup storage account section
3. Click Access Control (IAM)
4. Click Add a role assignment
5. In the Add role assignment blade, select Storage File Data SMB Share Elevated Contributor for the administrator account.
6. Click Save

Repeat the above steps for all users that need to have FSLogix profiles but change the role to Storage File Data SMB Share Contributor.

Note: the accounts being used here must be create in the domain controller and synched to Azure AD. Accounts sourced from Azure AD are not appropriate.

Configure NTFS permissions over SMB

Once RBAC permission have been assigned the next step is to configure the NTFS permission. There are two pieces of information we need from Azure portal to complete the NTFS permission:

• UNC path
• SA key

   

Obtaining the UNC path

1. Navigate to the Azure portal
2. Open the storage account created in the Setup storage account section
3. From under Settings select Properties
4. In the following screen locate the Primary File Service Endpoint and copy it to a text editor
5. Modify the URI to become UNC by:
   1. Remove https://
   2. Replace forward slash / with a back slash \
   3. Append name of the file share created in the Create an Azure file share section

For example: \\customdomain.file.core.windows.net\<fileshare-name>

Obtaining SA key

1. Navigate to the Azure portal
2. Open the storage account created in the Setup storage account section
3. From the storage account blade select Access keys
4. Copy key1 or key2 to a local file

    

Configure NTFS permissions

From the VM running the domain controller open the command prompt.

Run command below to mount the Azure files share and assign it a drive letter

net use <desired-drive-letter>: <UNC-pat> <SA-key> /user:Azure\<SA-name>

Use Windows File Explorer to grant full permission to all directories and files under the file share, including the root directory.

1. Open Windows File Explorer and right click on the file/directory and select Properties
2. Click on the Security tab
3. Click on Edit... button to change permissions
4. You can change the permission of existing users, or click on Add... to grant permissions to new users
5. In the prompt window for adding new users, enter the target user name you want to grant permission to in the Enter the object names to select box, and click on Check Names to find the full UPN name of the target user.
6. Click on OK
7. In the Security tab, select all permissions you want to grant to the newly add user. Details on what permissions are optimal for FSLogix is available here.
8. Click on Apply

    

Configure FSLogix on session host VMs

In this section we cover the steps needed to configure a VM with FSLogix. These steps need to be completed on all VMs. There are multiple ways to deploy in bulk and configure FSLogix that do not require work on each individual VM. More information on those available

1. RDP to the session host VM part of the WVD Hostpool
2. Download FSLogix agent from
3. Unzip and execute and run FSlogixAppsSetup.exe
4. Agree with the conditions and click Install
5. Configure profile container registry settings, more details here:
   1. Navigate to Computer\HKEY_LOCAL_MACHINE\SOFTWARE\FSLogix
   2. Create key Profiles
   3. Create Enabled, DWORD with value of 1
   4. Create VHDLocations, MULTI_SZ
   5. Set the value of VHDLocations to the UNC path generated in the section Obtaining the UNC path
6. Restart the VM

    

Testing

Once the VM has been restarted sign in with a user that has permission on the session host and on the file share.

When the session has been established and start menu is visible:

1. Navigate to the Azure portal
2. Open the storage account created in the Setup storage account section
3. Click on the share create in the Create an Azure file share

Note: For troubleshooting FSLogix please follow the guide here.