How to Use Azure Files for WVD FSLogix Profile Storage

This article will show how you can use Azure Files to store your Windows Virtual Desktop – WVD – FSLogix profiles.

Typically, when using WVD, FSLogix will be used to manage user profiles. One of the key decisions to make when designing for FSLogix is where you will store the profile data. There are a number of options when it comes to profile storage. You could use a new or existing Windows File Server, or other SMB file server, however that likely leaves you with the overhead of additional virtual machines to manage. Instead, now that Azure Files offers Active Directory authentication, it is now a great option for hosting WVD FSLogix user profiles.

Here we will have a look at how to create a new Azure storage account and how to create an Azure Files container. Once that is done I will also cover how to enable Active Directory authentication on the Azure storage account, how to configure access control for the storage account and how to configure NTFS permissions on the Azure Files share. Note that the examples used here will be around working with an AD DS (on-premise) environment, which in my case is an AD domain controller on a virtual machine in running an Azure. This environment is synchronised with Azure AD.

The idea here is to show the steps required to get this working, however the specific settings used here may not be suitable in other environments. For example, you will need to make decisions around the type of storage account you wish to use (GPv2, or FileStorage) depending on your usage/performance requirements. Check out the documentation for guidance on this.

There are a bunch of prerequisites that need to be in place for this to work. I will assume you already have built a WVD environment, and have the necessary permissions within an Azure tenant/subscription. You will also need your domain controller to be synchronized to Azure and resolvable from the Azure virtual network (VNET) where your WVD session hosts are located. In my environment I have the vNET DNS settings pointing to my AD DS environment.

Let’s get started by creating the storage account and Azure Files share!

How to Create a New Azure Storage Account and Azure Files Share

In the Azure Portal, search for storage account in the search bar at the top of the page, then click +Add to begin creating a new storage account:

We need to populate this form with the required information to create the account:

• Select the Azure Subscription and the Resource Group where the new storage account will be created. Note that the location of the storage account should be the same as where your WVD session hosts are located.
• Enter a unique name for the new storage account
• Performance – I have used Standard (though you may want to use Premium depending on requirements, and this also allows you to select FileStorage as the account kind)
• Account Kind – I have used StorageV2. Again, check what is the best fit for your requirements.
• Replication – Locally-redundant storage (LRS).

Click Next to move onto the Networking page. In my environment I wanted to restrict access to the storage account, so that it could only be accessed from within my vNet. To do so, I created a Private Endpoint.

• Connectivity Method – Select Private Endpoint
• Click add, to create a new private endpoint
  • Enter your Subscription, Resource group and Location. 
  • Enter a name for the Private Endpoint.
  • Select file as Storage sub-resource.
  • Select the Virtual Network and Subnet. This should be the same vNet as you WVD session hosts.
  • Under Private DNS Integration select Integrate with Private DNS Zone. Then click OK.

When you’re done, select Review + create, then select Create. Once the deployment completes we can move on to create the Azure Files share.

Note, if using a private endpoint you will likely want to restrict access to your storage account so that it is only accessible from within the vNet.

How to Create an Azure File Share

To create a Azure file share, go to the new storage account in the Azure Portal. On the storage accounts overview page:

• Select File shares.
• Select +File shares, create a new file share named userprofiles (or other suitable name), then either enter a quota or leave the field blank for no quota.
• Select Create.

And that’s it! We now have a new Azure storage account and an Azure Files share, using a private endpoint, which we can now use for profile storage. The next step is to enable Active Directory authentication for the Azure storage account we have created.

Enable Active Directory Authentication For Azure Files

So, this step is a little involved. The first step is to download a new PowerShell module which we will use to enable Active Directory authentication for the storage account. You can download the module from here. Note that you will need to install the module on a system that is domain joined to the AD DS environment you will be using. Also, ensure that you run the script using an on-premise AD credential that is synced to Azure AD. In my test environment I ran the script from my Domain Controller.

Once you have downloaded the module, extract the contents to a convenient location. Then import the module:

Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Scope CurrentUser
Import-Module -Name .\AzFilesHybrid.psd1

With the module imported, we then need to connect the PowerShell session to Azure, and set the subscription we wish to work with:

Connect-AzAccount
Select-AzSubscription -SubscriptionId <your-subscription-id>

Next, we want to run the Join-AzStorageAccountforAuth cmdlet, and pass it a bunch of parameters relating to our environment:

join-AzStorageaccountForAuth `
 -ResourceGroupName "<Resource Group Name>" 
 -StorageAccountName "<Storage Account Name>" 
 -DomainAccountType "ComputerAccount" 
 -OrganizationalUnitDistinguishedName "<OU Distinguished Name>"

Once done, looking at the Storage Accounts configuration, you should see that it is now Enabled for Active Directory Domain Services:

With that done we can move on to looking at setting up access to the Azure File share. Allowing access to an Azure File share involves a combination of permissions both at the share level as well as on the NTFS level, which is similar to how you would typically manage a standard Windows file share.

Configure IAM Access Control on the Azure Files Storage Account

Every user that will need to have WVD FSLogix profiles stored in the Azure Files share needs to be assigned the Storage File Data SMB Share Contributor role on the storage account. We also want to assign the Storage File Data SMB Elevated Contributor role to those that will be administrators of the file share.

With this in mind, I created and populated two groups in Active Directory that were synced to Azure AD. One for my Profile Share Admins and one for Profile Share Users.

With this done, I took the following steps to assign these groups to the relevant roles on the storage account:

• In Azure Portal, go to the Storage Account containing the Azure Files Share
• Select File shares, then select the name of the file share you plan to use.
• Select Access Control (IAM), then Add a role assignment.
• In the Add role assignment tab, select Storage File Data SMB Share Elevated Contributor and assign the role to your Profile Admins group.
• Save the changes.

I then repeated these steps to assign the Storage File Data SMB Share Contributor role to my Profile Users group. That’s it for the Azure permissions (think of these as the ‘share’ permissions). We now need to move on and configure the NTFS permissions.

Add Users NTFS Permissions on the Azure File Share

We now want to assign our WVD users NTFS permissions to the Azure Files share. To do so, we need to get the UNC path to the Azure Files share. To find this, in your storage account in Azure Portal, select properties. Look for the Primary File Service Endpoint URI. It will be a https address, but we need to convert this to UNC. You should end up with something like:

\\<storageaccntname>.file.core.windows.net\<fileshare-name>

Note that by default, this will resolve to a public IP address. If you are using a Private Endpoint then you will need to configure your DNS to ensure that this name resolves to the private IP address of the private endpoint.

Whilst in the storage account settings, grab one of the access keys for the account. We will need this to access the share initially. Using the access key we can map a drive to the file share:

net use f: <UNC-path> <accesskey> /user:Azure\<storageaccountname>

Once that has mapped successfully, open the share in Windows Explorer, then open the Home tab and click on the Properties button. Open the Security tab and click Advanced. From here we can set the NTFS permissions on the share.

There are some recommended permissions detailed here, which will allow users access to the share, but won’t allow users to modify other users profiles.

Once the NTFS permissions have been set appropriately the share is ready to be used and you can point your FSLogix profile location setting to the UNC path of the share!

Conclusion

In this article you have learned how to create a new Azure Storage Account and Azure Files share for use as profile storage for WVD using FSLogix. We have also covered how to enable active directory authentication for Azure file shares and how to set Azure and NTFS permissions on Azure File shares.

This is a great alternative to using traditional file servers as it helps reduce the management overhead of running virtual machine file servers.

Don’t forget to check out the official documentation to reinforce these concepts before using in your production environments.