In traditional virtual desktop infrastructure (VDI) deployments scenarios, it was/is still most likely that you build your own SMB file infrastructure to storage your roaming profiles and user-specific data on. This creates extra management and maintenance overhead, increases costs, and requires physical hardware expansions during upgrade to burst (CapEx) – non-flexible.
The Azure files (Storage-as-a) service on Azure is scalable on-demand, you just create your storage account, create a file share, setup the designated NTFS/ACLs and you are ready to use it – all based on the OpEx billing model. If you want more storage? Just expand the quota and you have more. Your billing model adjusts automatically.
To create a general-purpose v2 storage account in the Azure portal, follow these steps:
Create a Storage Account
- On the Azure portal menu, select All services. In the list of resources, type Storage Accounts. As you begin typing, the list filters based on your input. Select Storage Accounts.
- On the Storage Accounts window that appears, choose Add.
- Select the subscription in which to create the storage account.
- Under the Resource group field, select Create new. Enter a name for your new resource group, as shown in the following image.
- Next, enter a name for your storage account. The name you choose must be unique across Azure. The name also must be between 3 and 24 characters in length, and can include numbers and lowercase letters only.
- Select a location for your storage account, or use the default location.
- Leave these fields set to their default values:
Select Review + Create to review your storage account settings and create the account.
Next, you create a file share.
- When the Azure storage account deployment is complete, select Go to resource.
- Select Files from the storage account pane.
- Select File Share.
Name the new file share > enter “30 Gb” for the Quota > select Create. The quota can be a maximum of 5 TiB, but you only need 30 GiB for the demo purpose.
Activate Azure Files – Active Directory authentication on your storage account
- Download and unzip the AzFilesHybrid PowerShell module. Make sure to download the latest version.
- Store the data somewhere you prefer e.g. C:\AzFilesHybrid.
- Make sure that your current user execution policy is set Unrestricted – Yes to All
Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Scope Currentuser
- Change the path to the folder where you unzipped the module folder and run the .\CopyToPSPath.ps1 command.
- Import the Azure Files Hybrid Module
Import-Module -name AzFilesHybrid
- Connect to your Azure Subscription via PowerShell via command.
Note: This account needs to have at least owner rights on the storage account or contributor RBAC rights assigned with similar rights to perform the next tasks.
- Now we need to select the subscription (name) for this current session
Select-AzSubscription -SubscriptionName "Azure Subscription Name"
Now the most important step starts. We are joining our Azure Files – storage account to our Active Directory (AD) environment.
Note: We need to run these commands from a computer/server that is part – joined to the Active Directory (AD) domain. It takes over the rights from the user that is logged which is running the PowerShell session so the user needs to have the domain administrator / delegated rights for that in place. It does not have to be a domain controller, but the command is using the ActiveDirectory PoSH module, so running it from a domain controller could be easier.
join-AzStorageaccountForAuth -ResourceGroupName "<resource-group-name>" -Name "<storage-account-name>" -DomainAccountType "ComputerAccount" -OrganizationalUnitName "<OU--FRIENDLY-NAME>"
When the string ran successfully – you will see the following computer account – named as your Azure storage account – created in your Active Directory (AD) environment.
Verify if Active Directory is enabled
- Go back to the Azure Portal and open the – Configuration menu – of your storage account.
- Verify if Active Directory is enabled with your local domain name. See the below example.
Configure IAM Object permissions – via the Azure Portal
Now we need to assign one of the built-in rights models to the specific file share to give users access to the Azure Files SMB share. There are three specific roles already available that we can use.
After we did these IAM steps – we can take over SMB share authentication on the NTFS level (with the elevated Contributor role) to make the folder rights more security and organization-specific.
- Storage File Data SMB Share Contributor
- Storage File Data SMB Share Elevated Contributor (NTFS configurations)
You can assign the user or AD group object rights via the IAM configuration menu of your storage account in the Azure Portal.
Note: If you use Groups – make sure the AD Group synchronized from local AD via Azure AD Connect. Azure AD Group only doesn’t work!
Note: Make one of your (data) administrators part of the Storage File Data SMB Share Elevated Contributor assignment. That gives you the extra privilege to configure (initially) the NTFS rights on the share.
Verify access your Azure Files SMB Share
When we performed all the above steps correctly, we now can test if the share we created it accessible via our Windows Virtual Desktop environment and eventually configure FSLogix Profile Container.
- Find the Azure Files Share UNC path at the storage account configuration menu.
- Logon as one of the (that you gave the rights to) user accounts – or a group member – to a domain-joined virtual machine. Try to access the Azure Files share, you have to add the folder to the location, such as \\fslogixwvddemo.file.core.windows.net\fslogixprofiles. It works!
Configure NTFS rights on the Azure Files Share
You can start configuring all the NTFS rights that are recommended for the use of FSLogix Profile Container. See below the rights that are recommended to use for FSLogix. Read more about it here.
The User Profile Container with Azure Files for WVD has been created successfully. I hope you were able to complete the steps without any issues as well.
For a complete guide please refer Christiaan Brinkhoff‘s blog here