Using Azure Files for Fslogix Profiles

In this blog we are going to learn about configure Azure Files in order to support as FSLogix Profile share. I am using Azure Files Standard for this blog however it is recommended to use Azure Premium Files or Azure NetApp files as the preferred storage solution for WVD Fslogix.

Storage Account Creation

First of All navigate to Storage Accounts in the Azure Portal and Click on Create.

Home 
Storage accounts 
Default Directory 
+ Create Manage view v 
Refresh ExporttoCSV Open query Assigr 
Filter for any field... 
ShcMing I to I Of I records. 
Name 
cloudshelldevops9900 
Subscription Azure Pass - Sponsorship 
Resource group = = 
Type 
Storage account

In the “create storage account” wizard, select the below items

  • Subscription
  • Resource Group
  • Storage Account name
  • Storage Account location
  • Storage Account Type
  • Replication
Create storage account 
Select the subscription to manage deployed resources and costs. use resource groups like folders to organize and manage all 
your resources. 
Subscription * 
Resource group 
Instance details 
Azure Pass - Sponsorship 
(New) RG-Storage 
Create new 
The default deployment model is Resource Manager. which Supports the latest Azure features. You may choose to deploy 
using the classic deployment model instead Choose classic deployment model 
Storage account name • O 
Location 
Performance @ 
Account kind O 
Replication @ 
vdicloudstorage 
(Asia Pacific) South India 
@ Standard premium 
StorageV2 (general purpose v2) 
Locally-redundant storage (LRS)

In the Networking tab, you need to select the connectivity method as “Private endpoint”.

Private end points use your azure private IP address to communicate with your profile share securely. Private end points are recommended as per Microsoft FSLogix best practices.

The below diagram illustrates the FSLogix profile connectivity from a WVD session host.

Machine generated alternative text:
"WD PEP 
10.1015 
WV DStora ge 
profi 
s g. te nk file 
WVD Session Host 
101014 
DNS 
DNS

Select “Private endpoint” from the connectivity method.

Create storage account 
Basics Networking 
Network connectivity 
Data protection 
Advanced 
Tags 
Review + create 
You can connect to your storage account either publicly. via public IP addresses or service endpoints, or privately, using a 
private endpoint 
Connectivity method • 
private endpoint 
O Public endpoint (all networks) 
O Public endpoint (selected netmrks) 
@ Private endpoint 
Create a private endpoint to allow a private connection to this resource. Additional private endpoint connections can be created within the storage account or priva 
Name 
No private endmnts 
+ Add 
Network routina 
Subscription 
Resource group 
Region 
Target sub-resource ty... Sub

Click “+Add” option to create a private endpoint. You need to select the subnet where the Private End point will be created and also please make sure you select the “storage sub-resource” as “file”. Under Networking tab, select a subnet which is closer to your WVD subnet.

Create private endpoint 
Subscription* O 
Resource group* @ 
Location * 
Name * Q) 
Storage sub-resource 
Networking 
Azure Pass • Sponsorship 
(New) RG-Storage 
(Asia Pacific) Scn_lth India 
fslogixPEP 
To deploy the private endpoint select a virtual netv.ork subnet. Learn more about private endpoint networking 
Virtual network * O 
Subnet • C) 
wvdvnet 
wvd (10_0.10/24) 
O If you have a network security group (NSG) enabled for the subnet above, it Will be disabled 
for private endpoints on this subnet only. Other resources on the subnet will still have NSC 
enforcement,

In the Private DNS Integration page, select “Yes” and select the Private DNS Zone.

Azure Files will be accessed via <\\storageaccount.privatelink.file.core.windows.net\fileshare”> .

Private DNS integration 
To connect privately with your private endpoint. you need a DNS record, We recommend that you integrate your private endpoint with a 
private DNS zone. You can also utilize your own DNS servers or create DNS records using the host files on your virtual machines. 
Learn more about private DNS integration a' 
Integrate with private DNS zone @ 
Private DNS Zone • O 
(New) privatelink.filecore,windows.net

You can select “Data protection” options like “Turn on soft delete” if you want to prevent accidental deletion of profiles by admins. It is not recommended as FSLogix profiles are managed by admins and require deletion if profile is corrupted.

Create storage account 
Basics Networking 
Recovery 
Data protection Advanced 
Tags 
Review • create 
Tum on point-irrtime restore for containers 
Use point-in-time restore to restore one or more containers to an earlier state. If point-in-time restore is enabled then 
versioning, change feed, and blob soft delete must also be enabled. Learn rnore 
Tum on soft delete for blobs 
Soft delete enables you to reccwer blobs that were previously marked for deletion, including blobs that were 
overwritten Learn more el 
Turn on soft delete for containers 
Soft delete enables you to recover containers that were previously marked for deletion, Learn more 
O Sign up is required on a per-subscription basis to use container soft delete. Sign up for container soft delete (3' 
Turn on soft delete for file shares 
Soft delete enables you to recover file shares that were previously marked for deletion. Leam more 
Tracking 
Turn on versioning for blobs 
Use versioning to automatically maintain previous versions of pur blobs for recovery' and restoration. Learn more

In the “Advanced” tab, make sure you make the “secure transfer required” as “Enabled”

Create storage account 
Basics Networking 
Security 
Secure transfer required C) 
Allow shared key access Q) 
Data protection 
Advanced Tags 
Review + create 
O Disabled @ Enabled 
O Disabled @ Enabled 
Minimum TLS version O 
Infrastructure encryption 
Blob storage 
Allow Blob public access 
Blob access tier (default) 
NFSv3 0 
Version 1.2 
Disabled 
Enabled 
O 
o 
Sign up is currently required to enable infrastructure encryption on a pew 
subscription basis. Sign up for infrastructure encryption c/ 
@ Disabled Enabled 
O Cool Hot 
Disabled 
Enabled

Click “Review+Create” to create the Storage account.

File Share Creation

Once you create the Storage account, go to File shares inside the newly created storage account and click on “+File share” to create a new file share.

Profile the name, Quota in GB and Tiers.

If you are planning to use “Standard Azure Files” then select “transaction optimized” Tier to get maximum performance.

Machine generated alternative text:
vdicloudstorage I File shares 
p 
Storage account 
Search (Ctrl+,O 
Object replication 
Azure CDN 
Add Azure Search 
Lifecycle Management 
+ File share 
CD Refresh 
File share settings 
Active Directory: Not configured 
Soft delete: 
7 days 
Modified 
Share capacity: 5 T iB 
Name * 
vudprofile 
Quota O 
10 
Set to maximum 
Tiers O 
Premium 
e Transaction optimized 
Cool 
GiB 
Search file shares by prefix (case-sensitive) 
File service 
File shares 
Table service 
Tables 
Name 
You don't have any file shares yet. Click '+ File share' to get started. 
Tier

Adding Storage Account to domain

 The storage Account need to be added to domain before setting up permissions on the File share.

AzFilesHybrid Module is used to add Storage Accounts to domain. The AzFilesHybrid module need to be downloaded from From <https://docs.microsoft.com/en-us/azure/storage/files/storage-files-identity-ad-ds-enable>

Execute the below commands to import the module


Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Scope CurrentUser
connect-azAccount
.\copytopspath.ps1
Import-module -Name Azfileshybrid
$Rgname= “<your resource group>”
$storage =”< storage account name>”  
Join-AzStorageAccountForAuth -ResourceGroupName $rgname -StorageAccountName $storage -Domain <domain> -OrganizationalUnitDistinguishedName “<OU path>”

The below screenshot shows an example of successful execution of the command.

Machine generated alternative text:
Administrator: Windows PowerShell 
PS C: users oca a min Down oa s AZFI esyy r 1 > 301n-AzstorageAccountForAut 
ame Sstorage -Domain 
vdicl oud 
-organizationalunitDistinguishedName 
—mezuu. uuplNällle Srgname —zt-ul ayemeeuull 
StorageAccountName ResourcecroupName pri maryLocation SkuName 
Kind 
Access Tier creati onTi me 
provisioni 
gstate 
di cl oudstorage 
RG-Storage 
southindia 
Standard_LRS StorageV2 Hot 
PS ocal lesHYbri 
Active Directory Users and Computers 
File Action View Help 
Active Directory Users and Com Name 
Saved Queries 
vdicloud.tech 
Builtin 
Computers 
Domain Controllers 
ForeignSecurityPrincipal! 
Managed Service Accout 
VWD 
Session Hosts 
Storage 
3/6/2021 PM succeeded 
x 
Type 
Computer 
Description 
Computer account obje...

Setting up IAM Permissions to Storage Account

IAM permissions on the storage account is needed for accessing the storage account. Below are the IAM permissions to be applied on the storage account.

RoleGroup
Storage file Data SMB Share contributor<WVD users> or <domain users>
Storage file Data SMB Share Elevated contributor<Storage Admin>

Navigate to storage account and click on “Access Control (IAM) “

Click on “+Add” “Add role assignment” to add the SMB share permissions.

Adding SMB share contributor:-

Machine generated alternative text:
Role Q) 
Select a role 
Allows for read, write, and delete access in Azure Storage file shares over SMB 
Storage File Data SMB Share Contributor Q) 
Storage File Data SMB Share Elevated Contributor O 
Storage File Data SMB Share Reader O 
ADSyncAdmins

Add SMB Share Elevated Contributor:-

Setting up NTFS Permissions

Navigate to the file share and click on properties. You will be accessing your file share inside the Windows VM via \\storageaccountname.file.core.windows.net\filesharename

Machine generated alternative text:
wvdprofile I Properties 
1.1 
File share 
P Search (Ctrl+/) 
Overview 
PR Access Control (IAM) 
Settings 
Properties 
Operations 
NAME 
wvdprofile 
URL 
https://vdicloudstorage.file.core.windows.net/vwdprofile 
LAST MODIFIED 
3/6/2021, PM

In this example I will use \\vdicloudstorage.file.core.windows.net\wvdprofile to access my profile share from windows VM

Machine generated alternative text:
File 
Home 
wvdprofile 
Share 
View 
\vdicloudstorage.file.core.windows.net\wvdprofile 
Name 
Search wvdprofile 
Type 
Quick access 
Desktop 
Downloads 
Documents 
Pictures 
This PC 
Date modified 
This folder is empty.

Once accessed the next step is to set up NTFS permissions to the VM. The required permissions are mentioned in the table below.

User AccountFolderPermissions
UsersThis Folder OnlyModify
Creator / OwnerSubfolders and Files OnlyModify
<WVD_Admins AD Group>This Folder, Subfolders, and FilesFull Control

Right Click on the file share and click on “Properties”.

Under Security tab, click on Advanced. Set the permissions as shown in the screenshot below and click OK.

Machine generated alternative text:
Permissions 
Share 
Auditing 
Effective Access 
For additional information, double-click a permission entry. To modify a permission entry, select the entry and click Edit (if available). 
Permission entries: 
Type 
Allow 
Allow 
Allow 
Principal 
Users (vdicloudstorage\Users) 
CREATOR OWNER 
WVD Admins (VDICLOUD\WV... 
Access 
Modify 
Modify 
Full control 
Inherited from 
None 
None 
None 
Applies to 
This folder only 
Subfolders and files only 
This folder, subfolders and files

Your file share is now ready to serve as FSLogix profile store. Configure the GPO/registry to point your Azure files as FSLogix profile path.

One thought on “Using Azure Files for Fslogix Profiles

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s