Created: 10-2-21
Updated: 1-23-22
In this article I’m going to show you how to integrate a storage account in Azure and tied it into On-Premise Active Directory.
you’ll be running this script from a Domain Controller (unless your using RSAT) and typically domain controllers don’t have JavaScript installed. Which to me is crazy that a Microsoft process in dependent upon an Oracle product to open a login prompt, but they this is Microsoft, they do things on purpose. 😉
A few things to start:
- The resource group is called “avdrg”
- The storage account is called “avdsa”
- You create a transaction-optimized file share for the storage account
- The tenant name is “test-tenant”
- The tenant ID for make believe is “xxxxxx.xxxx.xxxx.xxxx.xxxxxxxxxxx”
- You downloaded the latestAzure Files Hybrid PowerShell script (azfileshybrid.zip) and extracted the contents to C:/temp, they can be found (latest as of 9-24-21 – please check to see if there is a more up-to-date version) here
- You have a functioning Windows Server domain infrastructure
- You have a Windows Server domain controller
Let’s get started:
- Open up a PowerShell as administrator, preferably on your domain controller
- Type the following:
# Step 1
Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Scope CurrentUser
# Step 2
Install-PackageProvider -Name NuGet -Force
# Step 3
# Navigate to the location you placed the AzFilesHybrid files from MSFT on your Domain Controller, my location an an example is below:
cd C:\temp\AzFilesHybrid
#Step 4
.\CopyToPSPath.ps1
# Step 5
Import-Module -Name .\AzFilesHybrid.psd1
#Step 6a
# If you don’t have the Module AZ installed or are unsure do this:
Install-Module Az
# Step 6b
Import-Module Az
#Step 7
# ensure you have the latest JavaScript installed in for the prompt to show up correctly.
Connect-AzAccount
#Step 8
# save some variables
$subscriptionID = (Get-azContent).Subscription.Id
$ResourceGroupName = ‘avdrg’
$StorageAccountName = (Get-AzStorageAccount -ResourceGroupName $ResourceGroupName)[0].StorageAccountName
#Step 9
Join-AzStorageAccountForAuth `
-ResourceGroupName $ResourceGroupName `
-StorageAccountName $StorageAccountName `
-DomainAccountType 'ComputerAccount' `
-OrganizationalUnitDistinguishedName 'OU=AVDOU,DC=domain,DC=local
#Step 10
# Note: you’ll need to find your ‘File Service’ URL for your Storage account
# Note: it’s presently, as of 9-24-21, found under your Storage Accounts “Settings” and inside of “Endpoints”
# replace the forward slashed with back slashes for UNC path navigation testing
# remove https://
https://<Name of your Resource Group where your AVD is deployed here>.file.core.windows.net/
# Then just tack of your Storage account name at the end and convert it to a UNC path as shown below:
# Example:
\\<Name of your Resource Group where your AVD is deployed here>.file.core.windows.net\<Name of your Storage Account here>
# Step 11
# With your UNC path determined, and you have all of your network setup correctly, on your domain controller open up file explorer and enter:
\\<Name of your Resource Group where your AVD is deployed here>.file.core.windows.net\<Name of your Storage Account here>
# Note: in order for you to “navigate” to this UNC path, don’t forget to go to “Security + Networking” and then click on “Networking” in your Storage Account, and ensure you have either “Allow access from” either as “all networks” or the preferred “Selected Networks” and then select your Azure vNet’s you want to be able to communicate with this Storage account. Example if you have your Windows Servers on on subnet in a vNet and your AVD on another subnet in the vNet, you’d include both of those and also any subnet that link to on-premise networks via your edge firewall in Azure linking towards your on-premise firewall and associated on-premise LAN segment; if this is NOT configured you won’t be able to UNC navigate to the folder
**Updated Notes -1-23-21**
# Special note – if your accessing this storage account remotely, and your not on a trusted network, do add your public IP of say your home location as a trusted address in order for you to access the location via Azure Storage Explorer or it will give you an error code
# Special note – if you plan to allow access to this folder from say Sharepoint or any O365 apps to push files from say Sharepoint to this File Share, do select “all networks”, as this will prevent things like logic apps from accessing the File Share if you specify “Specific Networks”
# Step 12
# Note: I’m assuming you added the SMB Share Contributor and SMB Share Elevated Contributor roles for this file share in the Storage Account prior to doing this step
# Note: with the File Explorer open for the UNC path, glance at the top row and you’ll see “File | Home | Share | View”, click on Share and then click on “Advanced Security” this will open the NTFS permissions for this file share
# Make sure you remove all permissions except for Administrators, Users, and CREATOR OWNER, and then modify “Users” and toggle “Modify”, then press ok, and apply then ok again on the NTFS permissions. Give “Administrators” the permission of “Full Control”
# Step 13
# Debugging the Storage Account to check for any errors
debug-AzStorageAccountAuth -StorageAccountName $StorageAccountName -ResourceGroupName $ResourceGroupName -Verbose
Now that we have this done, we can move into setting up the Storage Account File Shares permissions required for FSlogix to work. In order for it to work, you need to assign these permissions:
You add users (preferrable though you should create security groups from on-premise AD) to both the “Storage File Data SMB Share Contributor” & “Storage File Data SMB Share Elevated Contributor”. To do this you do the following:
Note: Storage File Data SMB Share Contributor = users
Note: Storage File Data SMB Share Elevated Contributor = administrators
- Open up Azure Storage Accounts
- Find your Azure Storage Account you created from above
- Click on your File Share inside of the Azure Storage Account
- Click on Access Control (IAM)
- Click on Add Role Assignment
- On the right side click on Role and select Storage File Data SMB Share Contributor and in the select field find your AVD Users Group and select it, then press save
- Repeat the same process for the Storage File Data SMB Share Elevated Contributor but this time select the AVD Admin Group, and select it, then press save
Now that this is done, you’ll need to wait between 20 minutes to the next day for the permissions to take full effect.
While these permissions are propogating on the Azure backend, you can go ahead and download the FSlogix application and install it on the AVD session hosts of your AVD. To do this, you do the following:
- Download the FSlogix application (also mentioned above, in-case you miss it) here
- Now copy this file to each of your AVD hosts and install it.
- After its installed, open up regedit as an administrator
- Navigate to this location: HKLM\SOFTWARE\FSLogix\Profiles
- Create the following registry keys:
- A DWORD with the name of “Enabled” with a value of 1
- A REG_SZ or MULTI_SZ with a name of “VHDLocations” with a value of the UNC path as done above, for an example you would use: “\\<Name of your Resource Group where your AVD is deployed here>.file.core.windows.net\<Name of your Storage Account here>”
- A DWORD with a name of “DeleteLocalProfileWhenVHDShouldApply” with a value of 1
- (Optional) A DWORD with a name o “PreventLoginWithTempProfile” with a value of 1
- After you create the registry keys, reboot the AVD Session host
Note: I personally do registry keys for the above setting, but if you were to navigate to the Fslogix folder of the file you downloaded you’ll find a fslogix.admx and a fslogix.adml file; hese could be place in the policies folder like we did above at the begining of the article to do all of these registry keys as a GPO. I won’t show you how to do this (the location in a GPO is: Computer Configuration > Policies > Administrative Templates > Fslogix > Profile Containers > all-of-the-settings-are-within), I’m sure if you’ve followed along this far your tech savvy enough to figure it out. 😉
Assuming you have done all of this article correctly and you have assigned users or security groups to the AVD’s workspace and AVD DAG Application Group, you can sign in with the users assigned to the security groups. This wraps up this article and I hope the with these detailed technical notes, this helps you decode how to do this task. 😀
Cheers! :-D