Configure FSLogix To Use Azure Files

In this blog post, we will discuss how to configure Azure Files for FSLogix Profile Containers.

Profile Containers

Fslogix Profile Containers is a user profile management tool developed by Microsoft that is designed to simplify the management of user profiles in virtual desktop environments. It allows organizations to manage user profiles in a centralized manner, making it easier for IT administrators to manage large numbers of users across different desktops and virtual machines.

Fslogix Profile Containers uses a technology called containerization to separate user profiles from the underlying operating system and applications. This means that user profiles can be easily managed and transferred between different virtual machines without having to worry about compatibility issues or other problems that might arise when migrating user data between different environments.

One of the key benefits of Fslogix Profile Containers is that it eliminates the need for roaming profiles. Roaming profiles have traditionally been used to manage user profiles in virtual desktop environments, but they can be difficult to manage and can cause performance issues. Fslogix Profile Containers addresses these issues by providing a more streamlined and efficient way to manage user profiles

Another advantage of Fslogix Profile Containers is that it supports a wide range of virtual desktop environments, including Microsoft Remote Desktop Services (RDS), Citrix Virtual Apps and Desktops, and VMware Horizon. This makes it a flexible and versatile tool that can be used in a variety of different virtual desktop environments.

Create an Azure Files Share

The following Azure CLI commands will create an Azure Storage account and a storage container to store user profiles.


az storage account create -n $storageaccountname  -g $rg -l $location --sku $storagesku  --debug

az storage share create --account-name $storageaccountname  --name $fileshare --debug

Join Azure Files Storage Account to Active Directory

In our case, we are using Active Directory in a hybrid configuration for our identity, and therefore, we need to join the Azure Storage account to Active Directory using the following command.

The command below needs to run from a Domain Controller.

First, you need to download and run the following PowerShell script from a Domain Controller.

To run the script run.


Once the script is finished running, import the module using the command below.

Import-Module -Name AzFilesHybrid

Next, we need to connect to Azure using.


And finally, run join the storage account to Active Directory

$subscriptionId = "your-Azure-subscription-id"
$resourceGroupName = "storage-account-resource-group-name"
$storageAccountName = "storage-account-name"

Join-AzStorageAccount `
    -ResourceGroupName $ResourceGroupName `
    -StorageAccountName $StorageAccountName `
    -DomainAccountType "ComputerAccount" `
    -EncryptionType "'RC4','AES256'"

To verify, that the join was successful, run the following cmdlet.

$resourceGroupName = "storage-account-resource-group"
$storageAccountName = "storage-account-name"

(Get-AzStorageAccount -ResourceGroupName $resourceGroupName -Name $storageAccountName).AzureFilesIdentityBasedAuth.DirectoryServiceOptions; (Get-AzStorageAccount -ResourceGroupName $resourceGroupName -Name $storageAccountName).AzureFilesIdentityBasedAuth.ActiveDirectoryProperties

Setup IAM Permissions on The Storage Account

Now, we need to configure permissions on the storage account. The permissions will give users access to the storage account where their profiles are stored.

For this part, we have an Active Directory group that is synced to Azure AD using Azure AD connect. The group has all the users that will use FSLogix profile containers.

The following Azure CLI command will assign the group the permissions they need (Storage File Data SMB Share Contributor) to access the Azure Files storage account.

az role assignment create --assignee-object-id <assignee-object-id> --role "Storage File Data SMB Share Contributor" --scope <storage-account-resource-id>

Connect Storage Account to DC

Next, we are going to mount the Azure Storage Account file share to our Domain Controller and assign more permissions. For this part, we need to copy the following details.

  • Azure Storage Account name
  • Storage Account Key

In our case, The drive will be mounted to the Z drive. You can change it to any drive that is not in use on your server.

net use Z: \\<storage-account-name>\<share-name> <storage-account-key> /user:Azure\<storage-account-name>

Configure  access control lists (DACL)

The last step in the storage configuration is to configure DACL on the mounted drive and essentially lock down the permissions that users can’t access other profiles except for theirs.

The first line is the most important line and needs to be changed. In our case, it is the Active Directory group with all the users that are going to use FSlogix. You can either use the group’s UPN or the following format Domain\GroupName

The last three lines do not need to change.

icacls z: /grant "FSUsers@YOURUPNDOMAIN.COM:(M)"
icacls z: /grant "Creator Owner:(OI)(CI)(IO)(M)"
icacls z: /remove "Authenticated Users"
icacls z: /remove "Builtin\Users"

Final notes, In the next post, we will show how to configure a group policy that configures configure FSlogix profile containers for users.

Note: For FSLogix to work on Windows 10 \ 11, you must install the FSLogix software on the machine.

Azure Files

Azure Files is a managed file storage service provided by Microsoft Azure that allows you to create, store, and share file shares in the cloud. It is built on top of the Server Message Block (SMB) protocol, which means it is compatible with the widely-used SMB protocol supported by Windows, macOS, and Linux operating systems. Azure Files is designed to be highly available, secure, and scalable, making it a suitable option for various workloads and scenarios.

Success! You're on the list.






Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.