Search This Blog

Monday, March 9, 2020

Windows Virtual Desktop and Azure File Shares

In our original series on Windows Virtual Desktop we used a standard file server to host the FSLogix Profiles, this was the only option at the time - if used together with our on-premises Active Directory.

Now it’s possible to use Azure file shares and on-premises Active Directory together (Preview of Active Directory authentication support on Azure Files).

So let’s try it out - still using the same setup as described here:

  • Part 1 - Created a Windows Virtual Desktop tenant – Part 1
  • Part 2 - Created a service principal and some customization of our on-premises AD – Part 2
  • Part 3 - Provisioning a host pool – Part 3
  • Part 4 – FSLogix – Part 4
  • Part 5 – Test Part 5

The difference is that the file server in part 4 will be replaced by an Azure file share.

And before we start it’s important to note that Azure Files AD authentication is not available in the following regions(time of writing):

  • West US
  • West US 2
  • East US
  • East US 2
  • West Europe
  • North Europe

The first thing we need is to download the AzFilesHybrid module found here: https://github.com/Azure-Samples/azure-files-samples/releases

2020-02-24 15_12_55-Releases · Azure-Samples_azure-files-samples · GitHub

Unzip the downloaded file, here in a folder called C:\AzFilesHybrid:

2020-02-24 15_17_01-LAB-DC01 on PCP70 - Virtual Machine Connection

Next we will create a Storage account in the Azure portal.

2020-03-06 09_12_29-Window

Select Add.

image

Enter name and options for storage account.

image

For this test I will us a Public endpoint, but choose what suits your situation best.

image

Advanced settings.

image

Select Review + create.

image

When validation has been passed click Create.

image

When deployment is complete select Go to resource.

image

Select File shares.

image

Select File share.

image

Name the new file share and set Quota.

image

Start PowerShell elevated:

2020-02-24 15_52_55-LAB-DC01 on PCP70 - Virtual Machine Connection

Navigate to where the files are unzipped.

2020-02-24 15_53_45-LAB-DC01 on PCP70 - Virtual Machine Connection

If you run in to problems during this sequence, you might be missing the PowerShell modules Az.Resources and AZ.Storage

image

2020-02-24 16_00_27-LAB-DC01 on PCP70 - Virtual Machine Connection

Run command to copy the files into the path.

.\CoptToPSpath.ps1

2020-02-24 15_54_13-LAB-DC01 on PCP70 - Virtual Machine Connection

Import the AzFilesHybrid module.

Import-Module -name AzFilesHybrid

2020-02-24 16_01_45-LAB-DC01 on PCP70 - Virtual Machine Connection

Login with an Azure AD account that has storage account owner or contributor assignment, here I will use my global administrator.

Connect-AzAccount

image

Select the target subscription for the current session with the command.

Select-AzSubscription -SubscriptionId "<subscription-id>"

image

Now register the storage account with our active directory environment under an OU.

join-AzStorageAccountForAuth -ResourceGroupName "<resource-group>" -Name "<storage-account"  -OrganizationalUnitDistinguishedName "<ou-name"

image

In the OU specified you should now the a computer account created.

image

Let’s confirm that the feature is enabled by running the commands:

$storageaccount = Get-AzStorageAccount -ResourceGroupName "<resource-group>" -Name "<storage-account>

$storageAccount.AzureFilesIdentityBasedAuth.DirectoryServiceOptions

$storageAccount.AzureFilesIdentityBasedAuth.ActiveDirectoryProperties

image

If we go to configuration on the storage account we should now see that Active Directory is enabled.

image

Now go to the file share created and set share access.

image

Use the role Storage File Data SMB Share Contributor and assign it to our group of Windows Virtual Desktop users, here I a group created and synchronized from the local Active Directory.

image

We can now use the net use command to mount the Azure file share, like this:

net use <drive-letter>: \\<storage-account-name>.file.core.windows.net\<share-name> /user:azure\<storage-account-name> <storage-account-key>

image

You can get the needed information from Access keys under the storage account:

image

The NTFS permissions can now be set on the mapped drive (file explorer) just like what we used for the traditional file server:

image

We need to change the GPO for FSLogix so that the new Azure file share is used.

image

Please also note that the user should not already have a profile on the computer, so use a new account or delete the existing profile.

image

After sign-in to our Windows virtual desktop the FSLogix profile is now created on the Azure file share:

image

We can test if port 445 outbound communication to the Azure Files datacenter is blocked with the commands:

$storageAccount = Get-AzStorageAccount -ResourceGroupName "<resource-group-name>" -Name "<storage-account-name>"

Test-NetConnection -ComputerName ([System.Uri]::new($storageAccount.Context.FileEndPoint).Host) -Port 445

image

No comments:

Post a Comment