Windows Virtual Desktop and Azure File Shares

Windows Virtual Desktop and Azure File Shares

In our original series on Windows Virtual Desktop we used a standard file server to host the FSLogix Profiles, this was the only option at the time – if used together with our on-premises Active Directory.

Now it’s possible to use Azure file shares and on-premises Active Directory together (Preview of Active Directory authentication support on Azure Files).

So let’s try it out – still using the same setup as described here:

  • Part 1 – Created a Windows Virtual Desktop tenant – Part 1
  • Part 2 – Created a service principal and some customization of our on-premises AD – Part 2
  • Part 3 – Provisioning a host pool – Part 3
  • Part 4 – FSLogix – Part 4
  • Part 5 – Test Part 5

The difference is that the file server in part 4 will be replaced by an Azure file share.

And before we start it’s important to note that Azure Files AD authentication is not available in the following regions(time of writing):

  • West US
  • West US 2
  • East US
  • East US 2
  • West Europe
  • North Europe

The first thing we need is to download the AzFilesHybrid module found here:

2020-02-24 15_12_55-Releases · Azure-Samples_azure-files-samples · GitHub

Unzip the downloaded file, here in a folder called C:AzFilesHybrid:

2020-02-24 15_17_01-LAB-DC01 on PCP70 - Virtual Machine Connection

Next we will create a Storage account in the Azure portal.

2020-03-06 09_12_29-Window

Select Add.


Enter name and options for storage account.


For this test I will us a Public endpoint, but choose what suits your situation best.


Advanced settings.


Select Review + create.


When validation has been passed click Create.


When deployment is complete select Go to resource.


Select File shares.


Select File share.


Name the new file share and set Quota.


Start PowerShell elevated:

2020-02-24 15_52_55-LAB-DC01 on PCP70 - Virtual Machine Connection

Navigate to where the files are unzipped.

2020-02-24 15_53_45-LAB-DC01 on PCP70 - Virtual Machine Connection

If you run in to problems during this sequence, you might be missing the PowerShell modules Az.Resources and AZ.Storage


2020-02-24 16_00_27-LAB-DC01 on PCP70 - Virtual Machine Connection

Run command to copy the files into the path.


2020-02-24 15_54_13-LAB-DC01 on PCP70 - Virtual Machine Connection

Import the AzFilesHybrid module.

Import-Module -name AzFilesHybrid

2020-02-24 16_01_45-LAB-DC01 on PCP70 - Virtual Machine Connection

Login with an Azure AD account that has storage account owner or contributor assignment, here I will use my global administrator.



Select the target subscription for the current session with the command.

Select-AzSubscription -SubscriptionId "<subscription-id>"


Now register the storage account with our active directory environment under an OU.

join-AzStorageAccountForAuth -ResourceGroupName "<resource-group>" -Name "<storage-account"  -OrganizationalUnitDistinguishedName "<ou-name"


In the OU specified you should now the a computer account created.


Let’s confirm that the feature is enabled by running the commands:

$storageaccount = Get-AzStorageAccount -ResourceGroupName "<resource-group>" -Name "<storage-account>




If we go to configuration on the storage account we should now see that Active Directory is enabled.


Now go to the file share created and set share access.


Use the role Storage File Data SMB Share Contributor and assign it to our group of Windows Virtual Desktop users, here I a group created and synchronized from the local Active Directory.


We can now use the net use command to mount the Azure file share, like this:

net use <drive-letter>: \<storage-account-name><share-name> /user:azure<storage-account-name> <storage-account-key>


You can get the needed information from Access keys under the storage account:


The NTFS permissions can now be set on the mapped drive (file explorer) just like what we used for the traditional file server:


We need to change the GPO for FSLogix so that the new Azure file share is used.


Please also note that the user should not already have a profile on the computer, so use a new account or delete the existing profile.


After sign-in to our Windows virtual desktop the FSLogix profile is now created on the Azure file share:


We can test if port 445 outbound communication to the Azure Files datacenter is blocked with the commands:

$storageAccount = Get-AzStorageAccount -ResourceGroupName "<resource-group-name>" -Name "<storage-account-name>"

Test-NetConnection -ComputerName ([System.Uri]::new($storageAccount.Context.FileEndPoint).Host) -Port 445


Table of Contents

Share this post
Search blog posts
Modern Workplace consultant and a Microsoft MVP in Enterprise Mobility.
Modern Workplace consultant and a Microsoft MVP in Windows and Devices for IT.

Infrastructure architect with focus on Modern Workplace and Microsoft 365 security.

Cloud & security specialist with focus on Microsoft backend products and cloud technologies.

Cloud & security specialist with focus on Microsoft 365.

Cloud & Security Specialist, with a passion for all things Cybersecurity

Cloud and infrastructure security specialist with background in networking.

Infrastructure architect with focus on design, implementation, migration and consolidation.

Infrastructure consultant with focus on cloud solutions in Office365 and Azure.

follow us in feedly

Follow on SoMe