NME: Configure Azure Files with Azure AD DS authentication

What’s up, everyone! 

This post is part of a series I’ve been wanting to do for a long time now. It is about Azure Virtual Desktop / Windows 365 in combination with Nerdio Manager for Enterprise. It is a great third party tool that enables us to create, manage and optimize our Azure Virtual Desktop environment. 

In this second part I will show how to configure Azure Files and Azure AD Domain Services. 

I will link every post in the series in each intro. 

Series – AVD and Windows 365 with Nerdio Manager for Enterprise

Disclaimer: The way I setup and configured Nerdio Manager for Enterprise might not be the quickest way and it cannot be considered as best-practices by Nerdio. This is not a sponsored series. 

Prerequisites

This demo will assume all tasks in part 1 are complete.

Step 1: Create a storage account

Login to the Azure portal and go to the storage accounts. Click on Create.

Create a new storage account. For this demo I used the following settings:

Part 1
Part 2

Step 2: Configure the File Share and enable AAD DS

Open the newly created storage account. Click on File Share under the Data Storage group.

Click on the + File Share button on the top left side of the screen. A new blade will appear and ask us to provide a name for the file share and we can select a tier. 

I  chose profiles as the name for the file share and the default setting for the tier: Transaction optimized.

We can see that Active Directory has not been configured yet. If we click on Not configured, we get a new screen which allows us to configure Active Directory or Azure Active Directory Domain Services. 

Since my environment is working with Azure AD DS, I will proceed to configure Azure AD DS as my directory source.

Click on Set up in the Azure Active Directory Domain Services box.

We get a simple checkbox to enable Azure Active Directory Domain Services for this file share. So check and click Save.

If everything checks out, we get the following screenshot:

We also need to allow access to the file share. To allow access, I created two groups:

  • For Admins: SMBShareElevatedContributors.
  • For Users: SMBShareContributors.

Go to the file share in the storage account. Go to Access Control (IAM). Click on Add role assignment

Use the search box to filter the result on Storage File. The following roles become visible:

Click on the Storage File Data SMB Share Elevated Contributor role and add the SMBShareElevatedContributors group. 

Repeat the process for the Storage File Data SMB Share Contributor role and add the SMBShareContributor group.

Step 3: Set NTFS Permissions

The next step is to configure NTFS permissions. There are several options to complete this step. Check the link for the different options. For now I will use the Powershell command to mount the file share.

Go to Azure File Share. Click on the Connect button.

Run the Powershell command to mount the Azure File Share to driveletter Z. Change the permissions to the screenshot below:

Step 4: Link the file share to Nerdio Manager for Enterprise

Login to Nerdio Manager for Enterprise and click on the Storage group and click on Azure Files.

Click on Link Azure Files.

Select your storage account and the file share we prepared in the previous step.

The file share will be visible in NME.

Step 5: Set FSLogix Profiles Storage

Open the Settings menu and click on Integrations. 

Click on Default Profile in the FSLogix Profiles Storage box. 
Change the name of the profile or keep the default name, as you like.
Next choose if you like to enable cloud cache and session host registry for aad-joined storage.

Select the Azure File Share we created earlier. 

Add FSLogix Registry Options if you like. 

Click the OK button to save the settings.

 

...Or create the Azure File share from NME

It is possible to create the Azure Files share from NME. Open Azure Files from the Storage group and click on the Add Azure Files button. 

Related Post

Leave a Reply

Your email address will not be published.