Forum Discussion

Artul2's avatar
Artul2
Copper Contributor
Jun 20, 2025

Need advice on the architecture of a setup

I need a bit of a sanity check on something as I have been reading through documentation and not entirely sure if this is possible. We have a Microsoft Azure/365 tenant and all of our identities a...
Kidd_Ip's avatar
Kidd_Ip
MVP
Jun 20, 2025

Below the suggestion:

 

  1. Join session hosts to Entra DS (not Entra ID):
    • Required for Kerberos-based SSO to Azure Files.
    • Ensures automatic ticket issuance for file share access.
  2. Keep Entra DS synchronization:
    • Maintain Cloud-only identities synced to Entra DS (as you've configured).
    • Verify password hash sync is active for test accounts.
  3. FSLogix Configuration:
    • Set VHDLocations to your Azure Files UNC path (e.g., \\storageaccount.file.core.windows.net\share).
    • Use group policies or registry keys to deploy FSLogix settings across Entra DS-joined hosts.
Artul2's avatar
Artul2
Copper Contributor
Jun 23, 2025

Thank you for replying.

 

I later realised Entra DS joined VMs cannot be Intune enrolled, which is a huge drawback for us.

 

I came across the Nerdio script to map the storage account using the Access Key which doesn't look too bad but the next hurdle I am faced with is the inability of natively pushing a user logon script through Intune. Looking online there are a few workarounds but I don't love any of them to be honest.

 

Has anyone come across a good way of achieving this before I bite the bullet and spin up a VM and install AD DS + Entra Connect Sync?

Resources