In this blog post, we will discuss how to configure Azure Files for FSLogix Profile Containers.
Profile Containers
Fslogix Profile Containers is a user profile management tool developed by Microsoft that is designed to simplify the management of user profiles in virtual desktop environments. It allows organizations to manage user profiles in a centralized manner, making it easier for IT administrators to manage large numbers of users across different desktops and virtual machines.
Fslogix Profile Containers uses a technology called containerization to separate user profiles from the underlying operating system and applications. This means that user profiles can be easily managed and transferred between different virtual machines without having to worry about compatibility issues or other problems that might arise when migrating user data between different environments.
One of the key benefits of Fslogix Profile Containers is that it eliminates the need for roaming profiles. Roaming profiles have traditionally been used to manage user profiles in virtual desktop environments, but they can be difficult to manage and can cause performance issues. Fslogix Profile Containers addresses these issues by providing a more streamlined and efficient way to manage user profiles
Another advantage of Fslogix Profile Containers is that it supports a wide range of virtual desktop environments, including Microsoft Remote Desktop Services (RDS), Citrix Virtual Apps and Desktops, and VMware Horizon. This makes it a flexible and versatile tool that can be used in a variety of different virtual desktop environments.
Create an Azure Files Share
The following Azure CLI commands will create an Azure Storage account and a storage container to store user profiles.
storageaccountname="fslogixntweeky0001"
rg="fslogix"
location="southeastasia"
storagesku="Premium_LRS"
fileshare="profilecontainers"
az storage account create -n $storageaccountname -g $rg -l $location --sku $storagesku --debug
az storage share create --account-name $storageaccountname --name $fileshare --debug
Join Azure Files Storage Account to Active Directory
In our case, we are using Active Directory in a hybrid configuration for our identity, and therefore, we need to join the Azure Storage account to Active Directory using the following command.
The command below needs to run from a Domain Controller.
First, you need to download and run the following PowerShell script from a Domain Controller.
https://github.com/Azure-Samples/azure-files-samples/blob/master/AzFilesHybrid/CopyToPSPath.ps1
To run the script run.
.\CopyToPSPath.ps1
Once the script is finished running, import the module using the command below.
Import-Module -Name AzFilesHybrid
Next, we need to connect to Azure using.
Connect-AzAccount
And finally, run join the storage account to Active Directory
$subscriptionId = "your-Azure-subscription-id"
$resourceGroupName = "storage-account-resource-group-name"
$storageAccountName = "storage-account-name"
Join-AzStorageAccount `
-ResourceGroupName $ResourceGroupName `
-StorageAccountName $StorageAccountName `
-DomainAccountType "ComputerAccount" `
-EncryptionType "'RC4','AES256'"
To verify, that the join was successful, run the following cmdlet.
$resourceGroupName = "storage-account-resource-group"
$storageAccountName = "storage-account-name"
(Get-AzStorageAccount -ResourceGroupName $resourceGroupName -Name $storageAccountName).AzureFilesIdentityBasedAuth.DirectoryServiceOptions; (Get-AzStorageAccount -ResourceGroupName $resourceGroupName -Name $storageAccountName).AzureFilesIdentityBasedAuth.ActiveDirectoryProperties
Setup IAM Permissions on The Storage Account
Now, we need to configure permissions on the storage account. The permissions will give users access to the storage account where their profiles are stored.
For this part, we have an Active Directory group that is synced to Azure AD using Azure AD connect. The group has all the users that will use FSLogix profile containers.
The following Azure CLI command will assign the group the permissions they need (Storage File Data SMB Share Contributor) to access the Azure Files storage account.
az role assignment create --assignee-object-id <assignee-object-id> --role "Storage File Data SMB Share Contributor" --scope <storage-account-resource-id>
Connect Storage Account to DC
Next, we are going to mount the Azure Storage Account file share to our Domain Controller and assign more permissions. For this part, we need to copy the following details.
- Azure Storage Account name
- Storage Account Key
In our case, The drive will be mounted to the Z drive. You can change it to any drive that is not in use on your server.
net use Z: \\<storage-account-name>.file.core.windows.net\<share-name> <storage-account-key> /user:Azure\<storage-account-name>
Configure access control lists (DACL)
The last step in the storage configuration is to configure DACL on the mounted drive and essentially lock down the permissions that users can’t access other profiles except for theirs.
The first line is the most important line and needs to be changed. In our case, it is the Active Directory group with all the users that are going to use FSlogix. You can either use the group’s UPN or the following format Domain\GroupName
The last three lines do not need to change.
icacls z: /grant "FSUsers@YOURUPNDOMAIN.COM:(M)"
icacls z: /grant "Creator Owner:(OI)(CI)(IO)(M)"
icacls z: /remove "Authenticated Users"
icacls z: /remove "Builtin\Users"
Final notes, In the next post, we will show how to configure a group policy that configures configure FSlogix profile containers for users.
Note: For FSLogix to work on Windows 10 \ 11, you must install the FSLogix software on the machine.
Azure Files
Azure Files is a managed file storage service provided by Microsoft Azure that allows you to create, store, and share file shares in the cloud. It is built on top of the Server Message Block (SMB) protocol, which means it is compatible with the widely-used SMB protocol supported by Windows, macOS, and Linux operating systems. Azure Files is designed to be highly available, secure, and scalable, making it a suitable option for various workloads and scenarios.