Announcing general availability of FSLogix profiles for Azure AD-joined VMs in Azure Virtual Desktop

Thanks, Oliver, for the prompt reply.

Hi Andrew,

thanks for posting that question.

It would be interesting if Microsoft will add support for cloudonly Accounts in the future.

As stated here https://learn.microsoft.com/en-us/azure/storage/files/storage-files-identity-auth-hybrid-identities-enable?tabs=azure-portal#prerequisites:

"This feature doesn't currently support user accounts that you create and manage solely in Azure AD. User accounts must be https://learn.microsoft.com/en-us/azure/active-directory/hybrid/whatis-hybrid-identity, which means you'll also need AD DS and either https://learn.microsoft.com/en-us/azure/active-directory/hybrid/whatis-azure-ad-connect or https://learn.microsoft.com/en-us/azure/active-directory/cloud-sync/what-is-cloud-sync. 

In the meanwhile we use MarcelMeurer nice Hydra based workaround:

https://blog.itprocloud.de/Using-FSLogix-file-shares-with-Azure-AD-cloud-identities-in-Azure-Virtual-Desktop-AVD/

Oliver.

We only have Azure AD , no DS no Hybrid.

Can Fxlogix be used?

DavidBelanger is there any news on availability of this feature for fully cloud AADS/Azure AD clients?

Seems a bit ridiculous that these features are not available to clients who have moved fully to the cloud.

DavidBelanger is there any news/roadmap on when this will be launched for customers using AADDS/Azure AD?

I struggle finding any information regarding this on the azure roadmap? 

  When AVD session hosts are AD DS joined, you can also configure per user or per group FSLogix profile containers (https://learn.microsoft.com/en-us/fslogix/configure-per-user-per-group-ht). This functionality requires user or group SID to configure.

  Does per user/per group FSLogix profile containers work with Azure AD joined session hosts. If yes, how do you specify Azure AD user or group for which per user/per group profile container configuration applies?

  Slavko

MagicHair, the article is regarding Azure Virtual Desktops, so Windows 10 & 11 refer to the Enterprise edition.

DavidBelanger, thank you for the article. I have successfully deployed this.

In case anyone else runs into an issue where your Elevated Contributor account has access to the share but cannot change permissions: Check that the user in the Elevated Contributor role is not also a member of the Contributor group/role because, from my testing, it appears the mount will respect the lesser of the two permissions for the root of the share specifically.

This means that both icacls and Explorer will be unable to modify the root permissions should the admin user be a member of both the Elevated Contributor role group and the Contributor role group.

To allow changing the root share permissions, remove the user from the standard Contributor role group, and you'll be able to run similar to the following:

icacls \\yourfs.file.core.windows.net\profiles /grant fslogix-group:(M)
icacls \\yourfs.file.core.windows.net\profiles /grant "Creator Owner:(OI)(CI)(IO)(M)"
icacls \\yourfs.file.core.windows.net\profiles /remove "Authenticated Users"
icacls \\yourfs.file.core.windows.net\profiles /remove "Builtin\Users"

DavidBelangercan you clarify the licensing please? you say in this article Win 10 & 11 is supported.

You also confirm the same in the comments here

https://techcommunity.microsoft.com/t5/azure-storage-blog/general-availability-azure-active-directory-kerberos-with-azure/ba-p/3612111

The pre-reqs here say the Windows Enterprise is required

https://learn.microsoft.com/en-us/azure/storage/files/storage-files-identity-auth-azure-active-directory-enable?tabs=azure-portal#prerequisites

And this seems to suggest Enterprise is required too

https://learn.microsoft.com/en-us/answers/questions/1031080/authentication-issues-using-aad-kerberos-for-azure.html

I am confused..