Dela via


Store FSLogix profile containers on Azure Files and Active Directory Domain Services or Microsoft Entra Domain Services

This article shows you how to set up a FSLogix profile container with Azure Files when your session host virtual machines (VMs) are joined to an Active Directory Domain Services (AD DS) domain or Microsoft Entra Domain Services managed domain.

Prerequisites

To configure a profile container, you need the following:

  • A host pool where the session hosts are joined to an AD DS domain or Microsoft Entra Domain Services managed domain and users are assigned.
  • A security group in your domain that contains the users who will use the profile container. If you're using AD DS, this must be synchronized to Microsoft Entra ID.
  • Permission on your Azure subscription to create a storage account and add role assignments.
  • A domain account to join computers to the domain and open an elevated PowerShell prompt.
  • The subscription ID of your Azure subscription where your storage account will be.
  • A computer joined to your domain for installing and running PowerShell modules that will join a storage account to your domain. This device needs to be running a Supported version of Windows. Alternatively, you can use a session host.

Important

If users have previously signed in to the session hosts you want to use, local profiles will have been created for them and must be deleted first by an administrator for their profile to be stored in a profile container.

Set up a storage account for a profile container

To set up a storage account:

  1. Create an Azure Storage account if you don't already have one.

    Tip

    Your organization may have requirements to change these defaults:

    • Whether you should select Premium depends on your IOPS and latency requirements. For more information, see Container storage options.
    • On the Advanced tab, Enable storage account key access must be left enabled.
    • For more information on the remaining configuration options, see Plan for an Azure Files deployment.
  2. Create an Azure Files share under your storage account to store your FSLogix profiles if you haven't already.

Join your storage account to Active Directory

To use Active Directory accounts for the share permissions of your file share, you need to enable AD DS or Microsoft Entra Domain Services as a source. This process joins your storage account to a domain, representing it as a computer account. Select the relevant tab below for your scenario and follow the steps.

  1. Sign in to a computer that is joined to your AD DS domain. Alternatively, sign in to one of your session hosts.

  2. Download and extract the latest version of AzFilesHybrid from the Azure Files samples GitHub repo. Make a note of the folder you extract the files to.

  3. Open an elevated PowerShell prompt and change to the directory where you extracted the files.

  4. Run the following command to add the AzFilesHybrid module to your user's PowerShell modules directory:

    .\CopyToPSPath.ps1
    
  5. Import the AzFilesHybrid module by running the following command:

    Import-Module -Name AzFilesHybrid
    

    Important

    This module requires the PowerShell Gallery and Azure PowerShell. You may be prompted to install these if they are not already installed or they need updating. If you are prompted for these, install them, then close all instances of PowerShell. Re-open an elevated PowerShell prompt and import the AzFilesHybrid module again before continuing.

  6. Sign in to Azure by running the command below. You'll need to use an account that has one of the following role-based access control (RBAC) roles:

    • Storage account owner
    • Owner
    • Contributor
    Connect-AzAccount
    

    Tip

    If your Azure account has access to multiple tenants and/or subscriptions, you will need to select the correct subscription by setting your context. For more information, see Azure PowerShell context objects

  7. Join the storage account to your domain by running the commands below, replacing the values for $subscriptionId, $resourceGroupName, and $storageAccountName with your values. You can also add the parameter -OrganizationalUnitDistinguishedName to specify an Organizational Unit (OU) in which to place the computer account.

    $subscriptionId = "subscription-id"
    $resourceGroupName = "resource-group-name"
    $storageAccountName = "storage-account-name"
    
    Join-AzStorageAccount `
        -ResourceGroupName $ResourceGroupName `
        -StorageAccountName $StorageAccountName `
        -DomainAccountType "ComputerAccount"
    
  8. To verify the storage account is joined to your domain, run the commands below and review the output, replacing the values for $resourceGroupName and $storageAccountName with your values:

    $resourceGroupName = "resource-group-name"
    $storageAccountName = "storage-account-name"
    
    (Get-AzStorageAccount -ResourceGroupName $resourceGroupName -Name $storageAccountName).AzureFilesIdentityBasedAuth.DirectoryServiceOptions; (Get-AzStorageAccount -ResourceGroupName $resourceGroupName -Name $storageAccountName).AzureFilesIdentityBasedAuth.ActiveDirectoryProperties
    

Important

If your domain enforces password expiration, you must update the password before it expires to prevent authentication failures when accessing Azure file shares. For more information, see Update the password of your storage account identity in AD DS for details.

Assign RBAC role to users

Users needing to store profiles in your file share need permission to access it. To do this, you need to assign each user the Storage File Data SMB Share Contributor role.

To assign users the role:

  1. From the Azure portal, browse to the storage account, then to the file share you created previously.

  2. Select Access control (IAM).

  3. Select + Add, then select Add role assignment from the drop-down menu.

  4. Select the role Storage File Data SMB Share Contributor and select Next.

  5. On the Members tab, select User, group, or service principal, then select +Select members. In the search bar, search for and select the security group that contains the users who will use the profile container.

  6. Select Review + assign to complete the assignment.

Set NTFS permissions

Next, you'll need to set NTFS permissions on the folder, which requires you to get the access key for your Storage account.

To get the Storage account access key:

  1. From the Azure portal, search for and select storage account in the search bar.

  2. From the list of storage accounts, select the account that you enabled Active Directory Domain Services or Microsoft Entra Domain Services as the identity source and assigned the RBAC role for in the previous sections.

  3. Under Security + networking, select Access keys, then show and copy the key from key1.

To set the correct NTFS permissions on the folder:

  1. Sign in to a session host that is part of your host pool.

  2. Open an elevated PowerShell prompt and run the command below to map the storage account as a drive on your session host. The mapped drive won't show in File Explorer, but can be viewed with the net use command. This is so you can set permissions on the share.

    net use <desired-drive-letter>: \\<storage-account-name>.file.core.windows.net\<share-name> <storage-account-key> /user:Azure\<storage-account-name>
    
    • Replace <desired-drive-letter> with a drive letter of your choice (for example, y:).
    • Replace both instances of <storage-account-name> with the name of the storage account you specified earlier.
    • Replace <share-name> with the name of the share you created earlier.
    • Replace <storage-account-key> with the storage account key from Azure.

    For example:

    net use y: \\fsprofile.file.core.windows.net\share HDZQRoFP2BBmoYQ(truncated)== /user:Azure\fsprofile
    
  3. Run the following commands to set permissions on the share that allow your Azure Virtual Desktop users to create their own profile while blocking access to the profiles of other users. You should use an Active Directory security group that contains the users you want to use the profile container. In the commands below, replace <mounted-drive-letter> with the letter of the drive you used to map the drive and <DOMAIN\GroupName> with the domain and sAMAccountName of the Active Directory group that will require access to the share. You can also specify the user principal name (UPN) of a user.

    icacls <mounted-drive-letter>: /grant "<DOMAIN\GroupName>:(M)"
    icacls <mounted-drive-letter>: /grant "Creator Owner:(OI)(CI)(IO)(M)"
    icacls <mounted-drive-letter>: /remove "Authenticated Users"
    icacls <mounted-drive-letter>: /remove "Builtin\Users"
    

    For example:

    icacls y: /grant "CONTOSO\AVDUsers:(M)"
    icacls y: /grant "Creator Owner:(OI)(CI)(IO)(M)"
    icacls y: /remove "Authenticated Users"
    icacls y: /remove "Builtin\Users"
    

Configure your local Windows device to use profile containers

In order to use profile containers, you'll need to make sure FSLogix Apps is installed on your device. If you're configuring Azure Virtual Desktop, FSLogix Apps is preinstalled in Windows 10 Enterprise multi-session and Windows 11 Enterprise multi-session operating systems, but you should still follow the steps below as it might not have the latest version installed. If you're using a custom image, you can install FSLogix Apps in your image.

To configure profile containers, we recommend you use Group Policy Preferences to set registry keys and values at scale across all your session hosts. You can also set these in your custom image.

To configure your local Windows device:

  1. If you need to install or update FSLogix Apps, download the latest version of FSLogix and install it by running FSLogixAppsSetup.exe, then following the instructions in the setup wizard. For more details about the installation process, including customizations and unattended installation, see Download and Install FSLogix.

  2. Open an elevated PowerShell prompt and run the following commands, replacing \\<storage-account-name>.file.core.windows.net\<share-name> with the UNC path to your storage account you created earlier. These commands enable the profile container and configure the location of the share.

    $regPath = "HKLM:\SOFTWARE\FSLogix\profiles"
    New-ItemProperty -Path $regPath -Name Enabled -PropertyType DWORD -Value 1 -Force
    New-ItemProperty -Path $regPath -Name VHDLocations -PropertyType MultiString -Value \\<storage-account-name>.file.core.windows.net\<share-name> -Force
    
  3. Restart your device. You'll need to repeat these steps for any remaining devices.

You have now finished the setting up your profile container. If you're installing the profile container in your custom image, you'll need to finish creating the custom image. For more information, follow the steps in Create a custom image in Azure from the section Take the final snapshot onwards.

Validate profile creation

Once you've installed and configured the profile container, you can test your deployment by signing in with a user account that's been assigned an application group or desktop on the host pool.

If the user has signed in before, they'll have an existing local profile that they'll use during this session. Either delete the local profile first, or create a new user account to use for tests.

Users can check that the profile container is set up by following the steps below:

  1. Sign in to Azure Virtual Desktop as the test user.

  2. When the user signs in, the message "Please wait for the FSLogix Apps Services" should appear as part of the sign-in process, before reaching the desktop.

Administrators can check the profile folder has been created by following the steps below:

  1. Open the Azure portal.

  2. Open the storage account you created in previously.

  3. Go to Data storage in your storage account, then select File shares.

  4. Open your file share and make sure the user profile folder you've created is in there.