Written by amalcloud

Using Azure Files for Fslogix Profiles

In this blog we are going to learn about configure Azure Files in order to support as FSLogix Profile share. I am using Azure Files Standard for this blog however it is recommended to use Azure Premium Files or Azure NetApp files as the preferred storage solution for WVD Fslogix.

Storage Account Creation

First of All navigate to Storage Accounts in the Azure Portal and Click on Create.

Home Storage accounts Default Directory + Create Manage view v Refresh ExporttoCSV Open query Assigr Filter for any field... ShcMing I to I Of I records. Name cloudshelldevops9900 Subscription Azure Pass - Sponsorship Resource group = = Type Storage account

In the “create storage account” wizard, select the below items

  • Subscription
  • Resource Group
  • Storage Account name
  • Storage Account location
  • Storage Account Type
  • Replication
Create storage account Select the subscription to manage deployed resources and costs. use resource groups like folders to organize and manage all your resources. Subscription * Resource group Instance details Azure Pass - Sponsorship (New) RG-Storage Create new The default deployment model is Resource Manager. which Supports the latest Azure features. You may choose to deploy using the classic deployment model instead Choose classic deployment model Storage account name • O Location Performance @ Account kind O Replication @ vdicloudstorage (Asia Pacific) South India @ Standard premium StorageV2 (general purpose v2) Locally-redundant storage (LRS)

In the Networking tab, you need to select the connectivity method as “Private endpoint”.

Private end points use your azure private IP address to communicate with your profile share securely. Private end points are recommended as per Microsoft FSLogix best practices.

The below diagram illustrates the FSLogix profile connectivity from a WVD session host.

Machine generated alternative text: "WD PEP 10.1015 WV DStora ge profi s g. te nk file WVD Session Host 101014 DNS DNS

Select “Private endpoint” from the connectivity method.

Create storage account Basics Networking Network connectivity Data protection Advanced Tags Review + create You can connect to your storage account either publicly. via public IP addresses or service endpoints, or privately, using a private endpoint Connectivity method • private endpoint O Public endpoint (all networks) O Public endpoint (selected netmrks) @ Private endpoint Create a private endpoint to allow a private connection to this resource. Additional private endpoint connections can be created within the storage account or priva Name No private endmnts + Add Network routina Subscription Resource group Region Target sub-resource ty... Sub

Click “+Add” option to create a private endpoint. You need to select the subnet where the Private End point will be created and also please make sure you select the “storage sub-resource” as “file”. Under Networking tab, select a subnet which is closer to your WVD subnet.

Create private endpoint Subscription* O Resource group* @ Location * Name * Q) Storage sub-resource Networking Azure Pass • Sponsorship (New) RG-Storage (Asia Pacific) Scn_lth India fslogixPEP To deploy the private endpoint select a virtual netv.ork subnet. Learn more about private endpoint networking Virtual network * O Subnet • C) wvdvnet wvd (10_0.10/24) O If you have a network security group (NSG) enabled for the subnet above, it Will be disabled for private endpoints on this subnet only. Other resources on the subnet will still have NSC enforcement,

In the Private DNS Integration page, select “Yes” and select the Private DNS Zone.

Azure Files will be accessed via <\\storageaccount.privatelink.file.core.windows.net\fileshare”> .

Private DNS integration To connect privately with your private endpoint. you need a DNS record, We recommend that you integrate your private endpoint with a private DNS zone. You can also utilize your own DNS servers or create DNS records using the host files on your virtual machines. Learn more about private DNS integration a' Integrate with private DNS zone @ Private DNS Zone • O (New) privatelink.filecore,windows.net

You can select “Data protection” options like “Turn on soft delete” if you want to prevent accidental deletion of profiles by admins. It is not recommended as FSLogix profiles are managed by admins and require deletion if profile is corrupted.

Create storage account Basics Networking Recovery Data protection Advanced Tags Review • create Tum on point-irrtime restore for containers Use point-in-time restore to restore one or more containers to an earlier state. If point-in-time restore is enabled then versioning, change feed, and blob soft delete must also be enabled. Learn rnore Tum on soft delete for blobs Soft delete enables you to reccwer blobs that were previously marked for deletion, including blobs that were overwritten Learn more el Turn on soft delete for containers Soft delete enables you to recover containers that were previously marked for deletion, Learn more O Sign up is required on a per-subscription basis to use container soft delete. Sign up for container soft delete (3' Turn on soft delete for file shares Soft delete enables you to recover file shares that were previously marked for deletion. Leam more Tracking Turn on versioning for blobs Use versioning to automatically maintain previous versions of pur blobs for recovery' and restoration. Learn more

In the “Advanced” tab, make sure you make the “secure transfer required” as “Enabled”

Create storage account Basics Networking Security Secure transfer required C) Allow shared key access Q) Data protection Advanced Tags Review + create O Disabled @ Enabled O Disabled @ Enabled Minimum TLS version O Infrastructure encryption Blob storage Allow Blob public access Blob access tier (default) NFSv3 0 Version 1.2 Disabled Enabled O o Sign up is currently required to enable infrastructure encryption on a pew subscription basis. Sign up for infrastructure encryption c/ @ Disabled Enabled O Cool Hot Disabled Enabled

Click “Review+Create” to create the Storage account.

File Share Creation

Once you create the Storage account, go to File shares inside the newly created storage account and click on “+File share” to create a new file share.

Profile the name, Quota in GB and Tiers.

If you are planning to use “Standard Azure Files” then select “transaction optimized” Tier to get maximum performance.

Machine generated alternative text: vdicloudstorage I File shares p Storage account Search (Ctrl+,O Object replication Azure CDN Add Azure Search Lifecycle Management + File share CD Refresh File share settings Active Directory: Not configured Soft delete: 7 days Modified Share capacity: 5 T iB Name * vudprofile Quota O 10 Set to maximum Tiers O Premium e Transaction optimized Cool GiB Search file shares by prefix (case-sensitive) File service File shares Table service Tables Name You don't have any file shares yet. Click '+ File share' to get started. Tier

Adding Storage Account to domain

 The storage Account need to be added to domain before setting up permissions on the File share.

AzFilesHybrid Module is used to add Storage Accounts to domain. The AzFilesHybrid module need to be downloaded from From <https://docs.microsoft.com/en-us/azure/storage/files/storage-files-identity-ad-ds-enable>

Execute the below commands to import the module


Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Scope CurrentUser
connect-azAccount
.\copytopspath.ps1
Import-module -Name Azfileshybrid
$Rgname= “<your resource group>”
$storage =”< storage account name>”  
Join-AzStorageAccountForAuth -ResourceGroupName $rgname -StorageAccountName $storage -Domain <domain> -OrganizationalUnitDistinguishedName “<OU path>”

The below screenshot shows an example of successful execution of the command.

Machine generated alternative text: Administrator: Windows PowerShell PS C: users oca a min Down oa s AZFI esyy r 1 > 301n-AzstorageAccountForAut ame Sstorage -Domain vdicl oud -organizationalunitDistinguishedName —mezuu. uuplNällle Srgname —zt-ul ayemeeuull StorageAccountName ResourcecroupName pri maryLocation SkuName Kind Access Tier creati onTi me provisioni gstate di cl oudstorage RG-Storage southindia Standard_LRS StorageV2 Hot PS ocal lesHYbri Active Directory Users and Computers File Action View Help Active Directory Users and Com Name Saved Queries vdicloud.tech Builtin Computers Domain Controllers ForeignSecurityPrincipal! Managed Service Accout VWD Session Hosts Storage 3/6/2021 PM succeeded x Type Computer Description Computer account obje...

Setting up IAM Permissions to Storage Account

IAM permissions on the storage account is needed for accessing the storage account. Below are the IAM permissions to be applied on the storage account.

RoleGroup
Storage file Data SMB Share contributor<WVD users> or <domain users>
Storage file Data SMB Share Elevated contributor<Storage Admin>

Navigate to storage account and click on “Access Control (IAM) “

Click on “+Add” “Add role assignment” to add the SMB share permissions.

Adding SMB share contributor:-

Machine generated alternative text: Role Q) Select a role Allows for read, write, and delete access in Azure Storage file shares over SMB Storage File Data SMB Share Contributor Q) Storage File Data SMB Share Elevated Contributor O Storage File Data SMB Share Reader O ADSyncAdmins

Add SMB Share Elevated Contributor:-

Setting up NTFS Permissions

Navigate to the file share and click on properties. You will be accessing your file share inside the Windows VM via \\storageaccountname.file.core.windows.net\filesharename

Machine generated alternative text: wvdprofile I Properties 1.1 File share P Search (Ctrl+/) Overview PR Access Control (IAM) Settings Properties Operations NAME wvdprofile URL https://vdicloudstorage.file.core.windows.net/vwdprofile LAST MODIFIED 3/6/2021, PM

In this example I will use \\vdicloudstorage.file.core.windows.net\wvdprofile to access my profile share from windows VM

Machine generated alternative text: File Home wvdprofile Share View \vdicloudstorage.file.core.windows.net\wvdprofile Name Search wvdprofile Type Quick access Desktop Downloads Documents Pictures This PC Date modified This folder is empty.

Once accessed the next step is to set up NTFS permissions to the VM. The required permissions are mentioned in the table below.

User AccountFolderPermissions
UsersThis Folder OnlyModify
Creator / OwnerSubfolders and Files OnlyModify
<WVD_Admins AD Group>This Folder, Subfolders, and FilesFull Control

Right Click on the file share and click on “Properties”.

Under Security tab, click on Advanced. Set the permissions as shown in the screenshot below and click OK.

Machine generated alternative text: Permissions Share Auditing Effective Access For additional information, double-click a permission entry. To modify a permission entry, select the entry and click Edit (if available). Permission entries: Type Allow Allow Allow Principal Users (vdicloudstorage\Users) CREATOR OWNER WVD Admins (VDICLOUD\WV... Access Modify Modify Full control Inherited from None None None Applies to This folder only Subfolders and files only This folder, subfolders and files

Your file share is now ready to serve as FSLogix profile store. Configure the GPO/registry to point your Azure files as FSLogix profile path.

Advertisement

One thought on “Using Azure Files for Fslogix Profiles

  1. Pingback: WVD Weekly Blog post 28th February – 4th March 2021 - WVD Community

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s