Apr 15 2020 04:32 PM - edited Apr 15 2020 10:56 PM
This guide walks an IT administrator through the steps needed to configure an existing Windows Virtual Desktop (WVD) hostpool with profiles stored on an Azure Files storage account. Authentication will be via a domain controller (aka native AD).
The diagram below represents the environment we are starting with:
The full guide for setting up Active Directory (AD) authentication over SMB for Azure file shares (AFS) is available here.
Global administrator on Azure AD is required to be able to assign RBAC permission. Contributors cannot assign permission to other users, as outline here.
Account with Owner permissions on the Azure subscription.
Account that is part of Active Directory (AD). This account needs to be able to sing into VM that is joined to the domain and have permission to create new accounts.
Note: Please note all prerequisites must be met.
There are certain policies that may block creating and using the account that represents the storage account (for example, if maximum password length is set to less than 80 characters the AD will not accept the new account). Such policies need to be disabled for the OU where the AD account representing the storage account is to be created.
Prior to creating a storage account Azure Files tier must be selected. Azure Files offers two different tiers of storage, premium and standard, to allow you to tailor your shares to the performance and price requirements of your scenario:
Depends on the target performance, cost, and regional considerations, you can select the most appropriate performance tier for storing the user profile data. We have included our recommendation based on the performance of the typical remote desktop workloads types.
File Tiers |
|
Light |
Less than 200 concurrent active users: Standard file shares |
More than 200 concurrent active users: Premium file shares. You may also consider using Standard file shares with multiple shares if you are scaling up from existing Standard file shares or plan to manage scale out for cost efficiency. |
|
Medium |
Premium file shares |
Heavy |
Premium file shares |
Power |
Premium file shares |
You can leverage the guidance above and further optimize for your WVD scenario. Detailed information of Azure Files on performance targets (Standard, Premium) and pricing is available to help you further fine tune the file share solution.
These steps need to be ran from a machine that is already domain joined. In our environment this will be done from the VM running the domain controller.
Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Scope CurrentUser
Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force
Import-Module -Name .\AzFilesHybrid.psd1
Connect-AzAccount
Select-AzSubscription -SubscriptionId <subscription name>
Important: the below command supports capability for adding new account to an organization unit via the switches -OrganizationalUnitName and -OrganizationalUnitDistinguishedName. For more details, please visit.
Join-AzStorageAccountForAuth -ResourceGroupName "<rg-name>" `
-Name "<sa-name>" `
-DomainAccountType "ComputerAccount" `
-OrganizationalUnitDistinguishedName "<ou-distinguishedname-here>"
# Grab the storage account info (creates an array)
# $storageaccount = Get-AzStorageAccount `
# -ResourceGroupName "<resource-group-name>" `
# -Name "<storage-account-name>"
$storageaccount = Get-AzStorageAccount -ResourceGroupName <RG> -Name <storageacct>
# Verify - List the directory service of the selected service account
$storageAccount.AzureFilesIdentityBasedAuth.DirectoryServiceOptions
# Verify - List the directory domain information if the storage account has enabled AD authentication for file shares
$storageAccount.AzureFilesIdentityBasedAuth.ActiveDirectoryProperties
At least one user, likely and administrator will need to be assigned Storage File Data SMB Elevated Contributor. The administrator will be used to assign NTFS permissions on the files share.
For all users that need to have FSLogix profiles stored on the SA assign Storage File Data SMB Share Contributor. It is a best practice to create an AD group for all users that need to have FSLogix profiles.
To assign RBAC permissions:
Repeat the above steps for all users that need to have FSLogix profiles but change the role to Storage File Data SMB Share Contributor.
Note: the accounts being used here must be create in the domain controller and synched to Azure AD. Accounts sourced from Azure AD are not appropriate.
Once RBAC permission have been assigned the next step is to configure the NTFS permission. There are two pieces of information we need from Azure portal to complete the NTFS permission:
For example: \\customdomain.file.core.windows.net\<fileshare-name>
From the VM running the domain controller open the command prompt.
Run command below to mount the Azure files share and assign it a drive letter
net use <desired-drive-letter>: <UNC-pat> <SA-key> /user:Azure\<SA-name>
Use Windows File Explorer to grant full permission to all directories and files under the file share, including the root directory.
In this section we cover the steps needed to configure a VM with FSLogix. These steps need to be completed on all VMs. There are multiple ways to deploy in bulk and configure FSLogix that do not require work on each individual VM. More information on those available
Once the VM has been restarted sign in with a user that has permission on the session host and on the file share.
When the session has been established and start menu is visible:
Note: For troubleshooting FSLogix please follow the guide here.
Apr 16 2020 01:57 AM
Apr 16 2020 02:12 PM
We're using this in our production environment using standard tier storage.
We're happy with the performance so far. The Standard tier seemed to be adequate for our needs based on this (https://docs.microsoft.com/en-us/azure/storage/files/storage-files-scale-targets) KB.
There are some slight hiccups with configuring NTFS permissions or viewing the files within the Azure Blade (assuming there's some replication time). Other than that, it's been working very well for us.
Apr 29 2020 02:25 PM
Please consider changing / noting that its NOT recommended to add all users full control on the share - its really NOT best practice at all - and a huge security issue if people can map each others VHD..
Apr 29 2020 02:26 PM
Apr 29 2020 05:56 PM
@Christian_Pedersen there is an article we are working for FSlogix permissions on the share and folders under its
User Account |
Access |
Applies to |
System |
Full control |
This folder, subfolders and files |
Administrators |
Full Control |
This folder only |
Creator/Owner |
Full Control |
Subfolders and files only |
Security group of users needing to put data on share (Roaming User Profiles Users and Computers) |
List folder / read data (Advanced permissions) Create folders / append data (Advanced permissions) |
This folder only |
Other groups and accounts |
None (remove) |
|
Apr 29 2020 05:57 PM
@Christian_Pedersen can you please elaborate? When you say migration are just changing the tier or you are moving the storage account?
Apr 29 2020 10:53 PM
Apr 29 2020 10:55 PM
@Stefan Georgiev the goal is to move from standard to premium storage account.
The path is the issue - i'm trying to make a new storage account and move all the content over but NTFS permissions is not working so the folders / files have the wrong owner - i cant change it post because it seems like you cant modify Ownership on files on a storage account - tried with ICACLS and Explorer.. :(
Apr 29 2020 11:54 PM
Apr 30 2020 12:18 AM
True - that could be it - that i need to use Azure File Sync - instead - probably that can preserve permissions - but is't like - well very aparant that the implementation is kind of not complete - that you need other tools to perform that.
Im not sure if Azure File Sync can sync from a UNC then i can just map the 2 file shares up on a VM and migrate directly - the easiest part would be to use robocopy <src> <dst> /sec /mir and then it would copy all the content..
May 01 2020 10:32 AM
@Stefan Georgiev ... Very much interested in this but waiting for native AD support to get out of Preview. Any idea when that might be coming?
May 01 2020 10:54 AM
@Nagorg-Terralogic I do not have an official date. That will come from the Azure Files team.
May 06 2020 12:08 AM
@Nagorg-Terralogic I am not directly owning Azure Files hence will let that team announce any changes in the status of that product.
May 06 2020 04:06 PM
@Nagorg-Terralogic i have tested the Azure Files as backend for FS Logix for days now - and its pretty well varying in performance - i get some really weird lockups from time to time where the VM is freezing a bit..
Using azure files premium, premium ssd and E8s 8 Cores 64 gig memory..
It works - but there are some really strange "pauses" :(
May 06 2020 04:10 PM
@Christian_Pedersen What is pausing the replication?
May 06 2020 04:15 PM
@Stefan Georgiev well call it "freezes" (5-10-15 seconds) - its kind of difficult to be 100% accurate if its the storage system or the issue with Office and Modern Authentication that im also struggeling - because it seems that if Office have ADAL disabled it can also cause freezes in the users profile on Open/Close actions
May 11 2020 09:12 AM
May 14 2020 01:30 AM
@Stefan Georgiev Please explain where Global Administrator on the Azure tenant is required to set this up? To delegate the SMB RBAC rights it's certainly enough to be an owner of the storage account.
May 14 2020 01:32 AM
@Nagorg-Terralogic Why would having to maintain two file servers (HA) be more practical?