Creating user profiles for Entra-joined Azure Virtual Desktops (AVD) primarily involves configuring FSLogix Profile Containers. This ensures that user profiles are portable and persistent across sessions, even though the session hosts are Entra-joined.

Here's a step-by-step guide:

Step 1: Prepare Your Storage for FSLogix Profiles

You'll need a file share that can be accessed by your AVD session hosts and where user profile disks will be stored. Azure Files is a common and recommended solution for this.

  1. Create an Azure Storage Account:
    • Go to the Azure portal, search for "Storage accounts," and click "Create."
    • Choose your subscription and resource group.
    • Give it a unique name (e.g., avdprofilesstorage).
    • Select a region.
    • For performance, consider "Premium" with "File shares" as the account kind, or "Standard" with "ZRS" or "GRS" redundancy for resilience.
    • Keep other settings as default or configure them according to your needs.
    • Click "Review + create," then "Create."
  2. Create an Azure File Share:
    • Once the storage account is deployed, navigate to it.
    • Under "Data storage," click "File shares."
    • Click "+ File share."
    • Give it a name (e.g., profiles).
    • Specify a quota (e.g., 1TB or based on your user count).
    • Click "Create."
  3. This is crucial for Entra-joined VMs to authenticate to the file share.
    • Navigate to your storage account.
    • Under "Data management," select "File shares."
    • Click on "Active Directory settings" (it might be under "Security + networking" > "File shares" > "AD settings").
    • Select "Azure Active Directory (AAD) Kerberos" or "Hybrid Azure Active Directory (AD DS) Kerberos" if your environment is hybrid. For pure Entra Join, AAD Kerberos is the way.
    • Follow the prompts to enable it. This involves creating an Entra ID application registration and granting permissions.
  4. Assign Share-Level Permissions:
    • Go to your file share.
    • Click on "Access control (IAM)."
    • Click "Add" > "Add role assignment."
    • Assign the "Storage File Data SMB Share Contributor" role to the Azure AD group containing your AVD users and the Azure AD group containing your AVD session host computer objects.
    • Assign "Storage File Data SMB Share Elevated Contributor" if you need to allow users to modify permissions on their own profiles, though "Contributor" is often sufficient.
    • Click "Review + assign."
  5. Configure NTFS Permissions on the File Share:
    While Azure AD Kerberos handles share access, you still need proper NTFS permissions within the share itself. You'll usually do this by mounting the share to a temporary VM (that is Entra-joined or Hybrid-joined) and setting the permissions.
    • Mount the Azure File share to a temporary Entra-joined or Hybrid-joined Windows VM:

codePowershell

net use Z: \\<storageaccountname>.file.core.windows.net\profiles /user:AzureAD\<your_upn>

    • Set the following NTFS permissions on the root of the profiles share:
      • CREATOR OWNER: Full Control (Applies to: Subfolders and files only)
      • Azure AD Group for AVD Users: Read & Execute, List Folder Contents, Read (Applies to: This folder, subfolders and files)
      • Azure AD Group for AVD Session Hosts: Read & Execute, List Folder Contents, Read, Write, Create Folders/Append Data (Applies to: This folder, subfolders and files)
      • SYSTEM: Full Control (Applies to: This folder, subfolders and files)
      • Administrators (of the AVD session hosts): Full Control (Applies to: This folder, subfolders and files)
    • You can set these using icacls:

codeCmd

icacls Z:\ /grant "Azure AD Group Name for AVD Users":(OI)(CI)R

icacls Z:\ /grant "Azure AD Group Name for AVD Session Hosts":(OI)(CI)R

icacls Z:\ /grant "Azure AD Group Name for AVD Session Hosts":(OI)(CI)W

icacls Z:\ /grant "SYSTEM":(OI)(CI)F

icacls Z:\ /grant "Builtin\Administrators":(OI)(CI)F

icacls Z:\ /setowner "Builtin\Administrators"

Note: Replace Z: with your mounted drive letter and "Azure AD Group Name" with the actual names of your Entra ID groups.

    • A good example of the final NTFS permissions could look like this:

 

 

A screenshot of a computer AI-generated content may be incorrect.

Step 2: Configure FSLogix on AVD Session Hosts

FSLogix agents are typically pre-installed on Azure Virtual Desktop images. You just need to configure them.

  1. Use Group Policy (Local or Centralized):
    For Entra-joined VMs, you can use Intune to deliver administrative templates for FSLogix, or configure them locally on the AVD master image. Using Intune is more scalable for larger deployments.
    • Option A: Configure via Intune (Recommended for Entra-joined):
      • Download the FSLogix Administrative Templates (.admx and .adml files) from the Microsoft FSLogix GitHub release page.
      • Import the .admx and .adml files into Intune. (Devices > Configuration profiles > Import ADMX).
      • Create a new Configuration Profile in Intune:
        • Profile type: "Settings catalog" or "Custom" (if using imported ADMX directly).
        • Search for "FSLogix" or specifically for "Profile Containers."
        • Configure the following settings:
          • Enabled: Yes
          • VHDLocation: \\<storageaccountname>.file.core.windows.net\profiles
          • DeleteLocalProfileWhenVHDShouldApply: Yes (Recommended to ensure profiles are always loaded from FSLogix)
          • SizeInMBs: (e.g., 30000 for 30GB, adjust as needed)
          • FlipFlopProfileDirectoryName: 1 (Recommended to avoid issues with concurrent logons if using multiple session hosts)
          • Include ProfileList in Roaming: No (This prevents issues with cached profiles)
      • Assign this profile to the Entra ID group containing your AVD session host computer objects.
    • Option B: Configure Locally on the Master Image:
      • Open gpedit.msc on your AVD master image.
      • Navigate to Computer Configuration > Administrative Templates > FSLogix > Profile Containers.
      • Configure the same settings as above (Enabled, VHDLocation, DeleteLocalProfileWhenVHDShouldApply, SizeInMBs, FlipFlopProfileDirectoryName, Include ProfileList in Roaming).
      • Save the changes and generalize your master image.
  2. Verify FSLogix Installation (if needed):
    • On a session host, check for the FSLogix Apps service in services.msc.
    • Check for the FSLogix installation directory: C:\Program Files\FSLogix\Apps.

Step 3: Test User Profiles

  1. Ensure your test users are assigned to an AVD group that grants them access to the session hosts.
  2. Log in with a Test User:
    • Use an Entra ID user account that has been assigned to an AVD group.
    • Log in to an AVD session.
    • The first login will create the FSLogix profile container. This might take a bit longer.
  3. Verify Profile Creation:
    • Go to your Azure File share (\\<storageaccountname>.file.core.windows.net\profiles).
    • You should see a folder structure like profiles\<username_SID>. Inside, there will be a VHD or VHDX file.
    • On the AVD session host, check C:\Users. You should see a symbolic link for the user's profile, pointing to the FSLogix mounted VHD. You can also check the ProfileList registry key at HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList.
  4. Test Persistence:
    • Create some files or change desktop settings in the user's AVD session.
    • Log off.
    • Log back in. Verify that the changes are still there.

Important Considerations:

  • FSLogix Cloud Cache: For greater resiliency and performance, especially in multi-region deployments or if you need to withstand storage outages, consider configuring FSLogix Cloud Cache. This allows profiles to be replicated to multiple storage locations.
  • Security Groups: Use dedicated Entra ID security groups for AVD users and AVD session host machines to simplify permission management.
  • Monitoring: Monitor your Azure File share usage and performance to ensure it can handle your user load.
  • Antivirus Exclusions: Configure antivirus exclusions for FSLogix directories and VHD(X) files on your AVD session hosts to prevent performance issues.
  • Master Image Updates: When updating your AVD master image, ensure that any local FSLogix configurations are reapplied or that your Intune profile is still correctly deployed.
  • FSLogix Version: Keep your FSLogix agents updated to benefit from the latest features and bug fixes.
  • Delegated Administration: If you have separate teams for AVD and identity, ensure proper delegation of permissions for managing Entra ID groups and Azure Storage.

By following these steps, you can successfully implement persistent user profiles for your Entra-joined Azure Virtual Desktops using FSLogix.

 

  • IDENTIFY TO FIND YOUR FIRE:
    Discovering Passion & Niche with Purpose In a world full of voices, how do you hear your own? If you’ve ever felt the tension between h...