In this blog we are going to learn about configure Azure Files in order to support as FSLogix Profile share. I am using Azure Files Standard for this blog however it is recommended to use Azure Premium Files or Azure NetApp files as the preferred storage solution for WVD Fslogix.
Storage Account Creation
First of All navigate to Storage Accounts in the Azure Portal and Click on Create.
In the “create storage account” wizard, select the below items
- Resource Group
- Storage Account name
- Storage Account location
- Storage Account Type
In the Networking tab, you need to select the connectivity method as “Private endpoint”.
Private end points use your azure private IP address to communicate with your profile share securely. Private end points are recommended as per Microsoft FSLogix best practices.
The below diagram illustrates the FSLogix profile connectivity from a WVD session host.
Select “Private endpoint” from the connectivity method.
Click “+Add” option to create a private endpoint. You need to select the subnet where the Private End point will be created and also please make sure you select the “storage sub-resource” as “file”. Under Networking tab, select a subnet which is closer to your WVD subnet.
In the Private DNS Integration page, select “Yes” and select the Private DNS Zone.
Azure Files will be accessed via <\\storageaccount.privatelink.file.core.windows.net\fileshare”> .
You can select “Data protection” options like “Turn on soft delete” if you want to prevent accidental deletion of profiles by admins. It is not recommended as FSLogix profiles are managed by admins and require deletion if profile is corrupted.
In the “Advanced” tab, make sure you make the “secure transfer required” as “Enabled”
Click “Review+Create” to create the Storage account.
File Share Creation
Once you create the Storage account, go to File shares inside the newly created storage account and click on “+File share” to create a new file share.
Profile the name, Quota in GB and Tiers.
If you are planning to use “Standard Azure Files” then select “transaction optimized” Tier to get maximum performance.
Adding Storage Account to domain
The storage Account need to be added to domain before setting up permissions on the File share.
AzFilesHybrid Module is used to add Storage Accounts to domain. The AzFilesHybrid module need to be downloaded from From <https://docs.microsoft.com/en-us/azure/storage/files/storage-files-identity-ad-ds-enable>
Execute the below commands to import the module
Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Scope CurrentUser
Import-module -Name Azfileshybrid
$Rgname= “<your resource group>”
$storage =”< storage account name>”
Join-AzStorageAccountForAuth -ResourceGroupName $rgname -StorageAccountName $storage -Domain <domain> -OrganizationalUnitDistinguishedName “<OU path>”
The below screenshot shows an example of successful execution of the command.
Setting up IAM Permissions to Storage Account
IAM permissions on the storage account is needed for accessing the storage account. Below are the IAM permissions to be applied on the storage account.
|Storage file Data SMB Share contributor||<WVD users> or <domain users>|
|Storage file Data SMB Share Elevated contributor||<Storage Admin>|
Navigate to storage account and click on “Access Control (IAM) “
Click on “+Add” “Add role assignment” to add the SMB share permissions.
Adding SMB share contributor:-
Add SMB Share Elevated Contributor:-
Setting up NTFS Permissions
Navigate to the file share and click on properties. You will be accessing your file share inside the Windows VM via \\storageaccountname.file.core.windows.net\filesharename
In this example I will use \\vdicloudstorage.file.core.windows.net\wvdprofile to access my profile share from windows VM.
Once accessed the next step is to set up NTFS permissions to the VM. The required permissions are mentioned in the table below.
|Users||This Folder Only||Modify|
|Creator / Owner||Subfolders and Files Only||Modify|
|<WVD_Admins AD Group>||This Folder, Subfolders, and Files||Full Control|
Right Click on the file share and click on “Properties”.
Under Security tab, click on Advanced. Set the permissions as shown in the screenshot below and click OK.
Your file share is now ready to serve as FSLogix profile store. Configure the GPO/registry to point your Azure files as FSLogix profile path.