Assigning permissions when using Azure Files for FSLogix Profiles in WVD

%3CLINGO-SUB%20id%3D%22lingo-sub-2193618%22%20slang%3D%22en-US%22%3EAssigning%20permissions%20when%20using%20Azure%20Files%20for%20FSLogix%20Profiles%20in%20WVD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2193618%22%20slang%3D%22en-US%22%3E%3CP%3EMy%20goal%20is%20to%20use%20a%20share%20in%20Azure%20Files%20to%20house%20the%20FSLogix%20profiles%20for%20users%20in%20a%20Windows%20Virtual%20Desktop%20(WVD)%20environment%20that%20is%20part%20of%20an%20Azure%20Active%20Directory%20Domain%20Services%20(AADDS)%20domain.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20am%20following%20instructions%20at%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fvirtual-desktop%2Fcreate-profile-container-adds%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fvirtual-desktop%2Fcreate-profile-container-adds%3C%2FA%3E.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThere%20are%20two%20places%20to%20set%20permissions%20to%20the%20fileshare%20--%20within%20the%20Azure%20portal%20and%20at%20the%20virtual%20machine%20level.%20In%20the%20Azure%20portal%2C%20you%20assign%20permissions%20to%20an%20Azure%20AD%20identity.%20At%20the%20VM%20level%2C%20you%20assign%20permissions%20to%20an%20Active%20Directory%20object%20that%20exists%20within%20the%20AADDS%20domain.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20you%20want%20to%20assign%20these%20permissions%20at%20the%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CEM%3Euser%3C%2FEM%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Elevel%2C%20there%20doesn't%20seem%20to%20be%20a%20problem.%20But%20I%20want%20to%20assign%20permissions%20at%20a%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CEM%3Egroup%3C%2FEM%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Elevel%2C%20and%20I'm%20getting%20stuck.%20As%20far%20as%20I%20can%20tell%2C%20in%20the%20Azure%20portal%20you%20can%20only%20assign%20permissions%20to%20Security%20groups%2C%20not%20to%20Microsoft%20365%20groups.%20(When%20I%20go%20to%20the%20Role%20Assignments%20page%20and%20click%20Add%2C%20my%20Microsoft%20365%20groups%20do%20not%20appear.)%20But%20at%20the%20VM%2Fdomain%20level%2C%20you%20can%20only%20assign%20permissions%20to%20objects%20with%20an%20email%20address.%20Microsoft%20365%20groups%20have%20an%20e-mail%20address%2C%20but%20Security%20groups%20in%20Azure%20do%20not.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDoes%20this%20mean%20we%20have%20to%20maintain%20two%20groups%20for%20each%20set%20of%20WVD%20users%20with%20FSLogix%20profiles%20--%20a%20matching%20pair%20of%20M365%20and%20Security%20groups%20with%20the%20same%20membership%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2193618%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20Files%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Efslogix%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2203006%22%20slang%3D%22en-US%22%3ERe%3A%20Assigning%20permissions%20when%20using%20Azure%20Files%20for%20FSLogix%20Profiles%20in%20WVD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2203006%22%20slang%3D%22en-US%22%3EHi%20David%2C%3CBR%20%2F%3E%3CBR%20%2F%3EYou%20have%20me%20a%20confused%20with%20this%20line%3A%3CBR%20%2F%3E%22But%20at%20the%20VM%2Fdomain%20level%2C%20you%20can%20only%20assign%20permissions%20to%20objects%20with%20an%20email%20address.%20Microsoft%20365%20groups%20have%20an%20e-mail%20address%2C%20but%20Security%20groups%20in%20Azure%20do%20not.%22%3CBR%20%2F%3E%3CBR%20%2F%3EHow%20exactly%20are%20you%20going%20about%20this%3F%3CBR%20%2F%3E%3CBR%20%2F%3EWhen%20you%20create%20a%20Security%20Group%20on%20AzureAD%3B%20it%20will%20get%20synced%20to%20the%20AADDS%20domain.%20In%20order%20to%20set%20the%20permissions%20on%20the%20NTFS%20level%20you%20are%20supposed%20to%20log%20on%20to%20a%20domain-joined%20VM%2C%20map%20the%20File%20Share%20using%20the%20Access%20Key%20and%20then%20you%20set%20the%20NTFS%20permissions%20directly%20via%20Windows%20Explorer.%20You%20should%20be%20able%20to%20use%20that%20Synced%20Security%20Group.%20The%20user%20you%20are%20using%20to%20do%20this%20should%20have%20SMB%20Elevated%20Contributor%20on%20that%20file-share%20as%20well%3CBR%20%2F%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E
Contributor

My goal is to use a share in Azure Files to house the FSLogix profiles for users in a Windows Virtual Desktop (WVD) environment that is part of an Azure Active Directory Domain Services (AADDS) domain.

 

I am following instructions at https://docs.microsoft.com/en-us/azure/virtual-desktop/create-profile-container-adds.

 

There are two places to set permissions to the fileshare -- within the Azure portal and at the virtual machine level. In the Azure portal, you assign permissions to an Azure AD identity. At the VM level, you assign permissions to an Active Directory object that exists within the AADDS domain.

 

If you want to assign these permissions at the user level, there doesn't seem to be a problem. But I want to assign permissions at a group level, and I'm getting stuck. As far as I can tell, in the Azure portal you can only assign permissions to Security groups, not to Microsoft 365 groups. (When I go to the Role Assignments page and click Add, my Microsoft 365 groups do not appear.) But at the VM/domain level, you can only assign permissions to objects with an email address. Microsoft 365 groups have an e-mail address, but Security groups in Azure do not.

 

Does this mean we have to maintain two groups for each set of WVD users with FSLogix profiles -- a matching pair of M365 and Security groups with the same membership?

9 Replies
Hi David,

You have me a confused with this line:
"But at the VM/domain level, you can only assign permissions to objects with an email address. Microsoft 365 groups have an e-mail address, but Security groups in Azure do not."

How exactly are you going about this?

When you create a Security Group on AzureAD; it will get synced to the AADDS domain. In order to set the permissions on the NTFS level you are supposed to log on to a domain-joined VM, map the File Share using the Access Key and then you set the NTFS permissions directly via Windows Explorer. You should be able to use that Synced Security Group. The user you are using to do this should have SMB Elevated Contributor on that file-share as well



@YannickJanssens1986 First you map the file share, as you describe, with a command like this:

net use <desired-drive-letter>: \\<storage-account-name>.file.core.windows.net\<share-name> /user:Azure\<storage-account-name> <storage-account-key>

 

But then you assign permissions to the drive you just mapped:

icacls <mounted-drive-letter>: /grant <user-email>:(M)
icacls <mounted-drive-letter>: /grant "Creator Owner":(OI)(CI)(IO)(M)
icacls <mounted-drive-letter>: /remove "Authenticated Users"
icacls <mounted-drive-letter>: /remove "Builtin\Users"

 

The instructions say:

  • Replace <user-email> with the UPN of the user or Active Directory group that contains the users that will require access to the share.

What is the UPN of an Active Directory group in AADDS that has been synced from a Security Group in Azure AD? Is it simply the group name? I called my group "WVD Users" and couldn't figure out the right syntax. Just now I had the bright idea to put the group name in quotes, and perhaps it worked this time:

C:\Users\wvdjoinaccount>icacls F: /grant "WVD Users":(M)
processed file: F:
Successfully processed 1 files; Failed processing 0 files

 I didn't know about the requirement for the account running these commands to have the SMB Share Elevated Contributor role. Where did you see that?

I think the MSFT instuctions confused you a little bit by mentioning the user-email thing. The command you used seems fine. You can also browse via the explorer to the mapped disk and right-click Properties/Securty in order to set permissions that way. May work a little easier.

Disregard what I said about the SMB Elevated Contributor Permissions. When you Map via the Access key you get permissions to set NTFS in a different way.

@YannickJanssens1986 My FSLogix profiles still aren't working right. I am seeing event log errors during login that indicated access rights problems connecting to the FSLogix share. So I tried to review and modify the permissions by mapping a drive through file explorer while logged in as an AADDS domain admin. I can view the permissions but I can't modify them. I get "Failed to enumerate objects in the container." The owner of the mapped drive is shown as SYSTEM. I tried to take ownership, but got the same "failed to enumerate" error. So maybe once the share's permissions are set using the access key they can no longer be modified by a user account through the GUI?

 

In any case, I'm not sure what the permissions for standard users are supposed to look like. Apart from some duplication of users and groups here, is this right, particularly with respect to the "applies to" column?

FSLogix share permissions.png

Perhaps I should start over with a new share and set the permissions with the GUI instead of the command line, but I don't have guidance for doing it that way.

Your user needs to have SMB Elevated Contributor RBAC role on the share if you want to change permissions or connect using the Access key (you'll operate under SYSTEM then).

Does the group WVD Users have SMB Contributor RBAC role on the share?

Try verifying access before logging on through WVD. Try running Powershell as one of those users (via 'Run as Different User' context menu option) and then mapping the drive like 'New-PSDrive -Name Z -PSProvider FileSystem -Root "\\xxx.file.core.windows.net\share" -Persist'





I assigned permissions at the storage account level and they are inherited down to the share. Is that OK? My WVD Users group has SMB Share Contributor permissions, and my AAD DC Administrators group has SMB Share Elevated Contributor permissions. The wvdsetup account, which I was using to produce the screen shot in the last post and which is unable to adjust permissions, is a member of AAD DC Administrators and WVD Users.

I had no problem creating folders or text files on the share as a member of WVD Users once I logged in, so at some basic level the permissions are working OK. But profile creation isn't working. I was thinking perhaps that the problem was because the Modify rights to the share were "This folder only," instead of "This folder, subfolders, and files." That's what I was going to test if I had been able to change the permissions on the share, but I wasn't able to while using the wvdsetup account and File Explorer. But according to https://docs.microsoft.com/en-us/fslogix/fslogix-storage-config-ht?WT.mc_id=Portal-Microsoft_Azure_S..., the way it's set now should be fine.

I don't actually have a mechanism for anyone to log in other than WVD. I have no other VMs in Azure.
I think I might have found the problem. To make sure I got the name right, I had been copying \\xxx.file.core.windows.net\share from one screen on my computer into various places in the WVD environment. I think I had been copying and pasting a hidden character as part of that process. In group policy, I rewrote the profile container location by hand, and it seems to be working better. More testing needed, but this looks promising.

Confirmed -- one or more hidden special characters were preventing the GPO from executing properly on login.

Glad to see you got it working!