Configure the FSLogix profile container on Azure Files

Create an Azure Files storage account and enable Azure AD Domain

Services authentication

Now it’s time to enable Azure AD Domain Services authentication over Server Message
Block (SMB). For more details on this process, see the Azure Storage Documentation.

First, navigate to the Microsoft Azure Portal, select All services from the sidebar, and
select Storage accounts.

Next, click Add to start the Create storage account wizard. Enter the following details:

 Select Subscription (if applicable).

  Select an existing Resource group or select Create new to create a new one.
 Enter the Storage account name.
 Select the (We recommend using the same location as the session host VMs.)
 Select the Performance
 Select a StorageV2 (general purpose V2) Account kind.

Select Review + create.

This will trigger validation of the input, as shown below.

Once the account has passed validation, select Create. This will start the deployment.

Once the deployment has completed, proceed to the next step by selecting Go to
resource.
Select Configuration from the left pane, then enable Azure Active Directory
authentication for Azure Files (Preview) in the main pane. Confirm this change by
selecting Save.

Once saved, select Overview in the left pane, then Files in the main pane.
Select File share and enter the Name and Quota.

Copy and paste the following information into Notepad or other plain text application:

{
"Name": "<Custom-Role-Name>",
"Id": null,
"IsCustom": true,
"Description": "Allows for read, write and delete access to Azure File Share over SMB",
"Actions": [
"*"
],
"NotActions": [
"Microsoft.Authorization/*/Delete",
"Microsoft.Authorization/*/Write",
"Microsoft.Authorization/elevateAccess/Action"
],
"DataActions": [
"*"
],
"AssignableScopes": [
"/subscriptions/<Subscription-ID>"
]
}

Replace <Custom-Role-Name> with AADDCpreview and replace <Subscription-

ID> with the subscription I in which the storage account is located.
Note: To get the subscription ID, navigate to the Microsoft Azure Portal, select All
services from the sidebar, and select Subscriptions from the Everythingmenu.

Save the file as CustomRole.JSON.

Open Windows PowerShell as an administrator.

In PowerShell,
1. Execute the following command:
Login-AzureRmAccount
2. When prompted, enter Global administrator or Contributor.

3. If needed, select the desired subscription, then execute the following command:
New-AzureRmRoleDefinition -InputFile "C:\temp\CustomRole.json"
4. When prompted to -InputFile, enter the file path for the JSON file.
5. Assign the new role to all users that will be getting user profiles.

#Get the name of the custom role:

$FileShareContributorRole = Get-AzRoleDefinition "<role-name>"
#Constrain the scope to the target file share:
$scope = "/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.Storage/
storageAccounts/<storage-account>/fileServices/default/fileshare/<share-name>"
#Assign the custom role to the target identity with the specified scope.
New-AzRoleAssignment -SignInName <user-principal-name> -RoleDefinitionName
$FileShareContributorRole.Name -Scope $scope
Make the following modifications to commands above:
o For <role-name>, specify the same name as one defined in JSON (AADDCpreview).
o Replace <subscription-id> with the desired subscription id.
o Replace <resource-group> with the name of the resource group where the storage
account is (profiles).
o Replace <storage-account> with the name of the resource storage (fsprofile).
o Replace <share-name> with the name of the share created earlier (share).
o Replace <user-principal-name> with user principal names of those users that will
utilize FSLogix profiles on Azure Files.

Here's an example:
$FileShareContributorRole = Get-AzureRmRoleDefinition "AADDCpreview"
#Compose the scope as to the target file share:
$scope = "/subscriptions/1783ee2d-7d93-47ee-afc1-1ce9f7dc7678/resourceGroups/profiles/
providers/Microsoft.Storage/storageAccounts/fsprofile2/fileServices/default/fileshare/share"
#Assign the customer role to target user with UPN
New-AzureRmRoleAssignment -SignInName "adele.vance@airlift2020outlook.onmicrosoft.com" -
RoleDefinitionName $FileShareContributorRole.Name -Scope $scope)
 6. Finally, navigate to the Microsoft Azure Portal, select Virtual machines from the sidebar,
select the desired VM, select Overview in the left pane, then Connect in the main pane to
sign in as an administrator and start a Remote Desktop (RDP) session.

Obtain storage account access key

From the Microsoft Azure Portal sidebar, select Storage accounts. From the list of
storage accounts, select the account for which you enabled Azure AD Domain Services
and created the custom roles in steps above.

Under Settings, select Access keys and copy the key from key1.

Note: If the key contains the “/” symbol, hit the Refresh icon to generate a new key.

Navigate to the Virtual Machines tab and locate any VM that is going to be part of
your hostpool.

Click on the name of the VM under Virtual Machines (adVM) and select Connect.
This will download an RDP file that allows you to connect to the VM via the credentials
specified during VM creation.

Once remotely connect to the VM, run Command Prompt as an administrator.

Execute the following command, making the modifications noted below:

net use <desired-drive-letter>: \\<storage-account-name>.file.core.windows.net\<share-name> <storage-account-

key> /user:Azure\<storage-account-name>

Modifications to this command should be as follows:

 Replace <desired-drive-letter> with a drive letter of choice (e.g. y:).

 Replace all instances of <storage-account-name> with the name of the storage account
specified earlier.
 Replace <share-name> with the name of the share created earlier.
 Replace <storage-account-key> with the storage account key from Azure.

Here’s an example of what the command will look like:

net use y: \\fsprofile.file.core.windows.net\share HDZQRoFP2BBmoYQ=(truncated)= /user:Azure\fsprofile)

Execute the following command to grant full access to the Azure Files share:

icacls <mounted-drive-letter>: /grant <user-email>:(f)

Modifications to this command should be as follows

  Replace <mounted-drive-letter> with a drive letter of choice.
 Replace <user-email> with the UPN of the user who will be accessing the session host
VMs and needs a profile.

Here’s an example of what the command will look like:

icacls y: /grant alexwilber@airlift2020outlook.onmicrosoft.com:(f)