In our original series on Windows Virtual Desktop we used a standard file server to host the FSLogix Profiles, this was the only option at the time – if used together with our on-premises Active Directory.
Now it’s possible to use Azure file shares and on-premises Active Directory together (Preview of Active Directory authentication support on Azure Files).
So let’s try it out – still using the same setup as described here:
- Part 1 – Created a Windows Virtual Desktop tenant – Part 1
- Part 2 – Created a service principal and some customization of our on-premises AD – Part 2
- Part 3 – Provisioning a host pool – Part 3
- Part 4 – FSLogix – Part 4
- Part 5 – Test Part 5
The difference is that the file server in part 4 will be replaced by an Azure file share.
And before we start it’s important to note that Azure Files AD authentication is not available in the following regions(time of writing):
- West US
- West US 2
- East US
- East US 2
- West Europe
- North Europe
The first thing we need is to download the AzFilesHybrid module found here: https://github.com/Azure-Samples/azure-files-samples/releases
Unzip the downloaded file, here in a folder called C:AzFilesHybrid:
Next we will create a Storage account in the Azure portal.
Select Add.
Enter name and options for storage account.
For this test I will us a Public endpoint, but choose what suits your situation best.
Advanced settings.
Select Review + create.
When validation has been passed click Create.
When deployment is complete select Go to resource.
Select File shares.
Select File share.
Name the new file share and set Quota.
Start PowerShell elevated:
Navigate to where the files are unzipped.
If you run in to problems during this sequence, you might be missing the PowerShell modules Az.Resources and AZ.Storage
Run command to copy the files into the path.
.CoptToPSpath.ps1
Import the AzFilesHybrid module.
Import-Module -name AzFilesHybrid
Login with an Azure AD account that has storage account owner or contributor assignment, here I will use my global administrator.
Connect-AzAccount
Select the target subscription for the current session with the command.
Select-AzSubscription -SubscriptionId "<subscription-id>"
Now register the storage account with our active directory environment under an OU.
join-AzStorageAccountForAuth -ResourceGroupName "<resource-group>" -Name "<storage-account" -OrganizationalUnitDistinguishedName "<ou-name"
In the OU specified you should now the a computer account created.
Let’s confirm that the feature is enabled by running the commands:
$storageaccount = Get-AzStorageAccount -ResourceGroupName "<resource-group>" -Name "<storage-account>
$storageAccount.AzureFilesIdentityBasedAuth.DirectoryServiceOptions
$storageAccount.AzureFilesIdentityBasedAuth.ActiveDirectoryProperties
If we go to configuration on the storage account we should now see that Active Directory is enabled.
Now go to the file share created and set share access.
Use the role Storage File Data SMB Share Contributor and assign it to our group of Windows Virtual Desktop users, here I a group created and synchronized from the local Active Directory.
We can now use the net use command to mount the Azure file share, like this:
net use <drive-letter>: \<storage-account-name>.file.core.windows.net<share-name> /user:azure<storage-account-name> <storage-account-key>
You can get the needed information from Access keys under the storage account:
The NTFS permissions can now be set on the mapped drive (file explorer) just like what we used for the traditional file server:
We need to change the GPO for FSLogix so that the new Azure file share is used.
Please also note that the user should not already have a profile on the computer, so use a new account or delete the existing profile.
After sign-in to our Windows virtual desktop the FSLogix profile is now created on the Azure file share:
We can test if port 445 outbound communication to the Azure Files datacenter is blocked with the commands:
$storageAccount = Get-AzStorageAccount -ResourceGroupName "<resource-group-name>" -Name "<storage-account-name>"
Test-NetConnection -ComputerName ([System.Uri]::new($storageAccount.Context.FileEndPoint).Host) -Port 445
