Forum Discussion
Need advice on the architecture of a setup
I need a bit of a sanity check on something as I have been reading through documentation and not entirely sure if this is possible.
We have a Microsoft Azure/365 tenant and all of our identities are currently Cloud-only. We recently decommissioned the last of our domain controllers, which used to be hosted in Azure.
There is now a requirement to provide a small AVD environment, 5 users to pilot initially, with the ability to be able to scale up if this is successful. We want to be able to use FSLogix to store user profiles. We want to avoid going back to having a DC in Azure if possible, so considered using Entra ID Domain Services instead. I have since:
- Deployed an instance of Entra DS - Standard SKU
- Configured Synchronisation and filtered its scope to a specific Security Group containing only a test account initially.
- Reset the password on the test account as a pre-requisite for PW Hash Sync.
- Created a pooled Host Pool, added a single SH (W11 24H2 Multisession) and joined it to Entra ID.
- Created a Premium storage account, provisioned a share, configured identity-based access with Microsoft Entra Domain Services, added the relevant IAM roles to the storage account using the relevant security group.
- Created a Private Endpoint and DNS zone for access to the storage account.
- Configured Entra ID SSO using Microsoft Graph explorer, added the correct RDP property.
I got to a point where I can happily sign in to the Session host using either Web or Windows Client, haven't even started configuring FSLogix at this stage. Wanted to make sure I could access the storage account first, so browse to the UNC path e.g. storageaccountname.file.core.windows.net and get prompted for credentials.
When I manually enter credentials (and these are the exact same as I'm using to sign in to the Session Host, e.g. email address removed for privacy reasons / password) I get the expected access, but obviously don't want to be entering these manually.
So I guess my question is: is SSO to a storage account configured to authenticate with Entra DS possible from an Entra ID Joined VM possible, or would I be better off joining the VM to Entra DS instead?
I think I'm either missing a simple step or designing this in a way that won't work. Any help would be greatly appreciated.
2 Replies
Below the suggestion:
- Join session hosts to Entra DS (not Entra ID):
- Required for Kerberos-based SSO to Azure Files.
- Ensures automatic ticket issuance for file share access.
- Keep Entra DS synchronization:
- Maintain Cloud-only identities synced to Entra DS (as you've configured).
- Verify password hash sync is active for test accounts.
- FSLogix Configuration:
- Set VHDLocations to your Azure Files UNC path (e.g., \\storageaccount.file.core.windows.net\share).
- Use group policies or registry keys to deploy FSLogix settings across Entra DS-joined hosts.
Thank you for replying.
I later realised Entra DS joined VMs cannot be Intune enrolled, which is a huge drawback for us.
I came across the Nerdio script to map the storage account using the Access Key which doesn't look too bad but the next hurdle I am faced with is the inability of natively pushing a user logon script through Intune. Looking online there are a few workarounds but I don't love any of them to be honest.
Has anyone come across a good way of achieving this before I bite the bullet and spin up a VM and install AD DS + Entra Connect Sync?
- Join session hosts to Entra DS (not Entra ID):
