In this post I have tried to capture all the steps while creating Azure File shares for WVD deployment and real time challenges, Please refer to the quoted messages in this post.

Storage Account

Azure file shares are deployed into storage accounts, Azure supports multiple types of storage accounts for different storage scenarios, but there are two main types of storage accounts for Azure Files.

Which storage account type you need to create depends on whether you want to create a standard file share or a premium file share.

I chose premium file share in this walkthrough as shown below

Remember to create the storage account name less than 15 characters or depending on your domain naming policies

Select the account type and performance
Disable Blob access

Azure Files provides two main types of endpoints for accessing Azure file shares:

  • Public endpoints, which have a public IP address and can be accessed from anywhere in the world.
  • Private endpoints, which exist within a virtual network and have a private IP address from within the address space of that virtual network.

We need to create a private end point in our deployment, Which will allow access to the fileshares only from the desired subnet. Follow the steps below to add a private endpoint

Select the desired Vnet and subnet from where this file share should be accessible, Private DNS is a optional settings, If you wish you can enable the same.

Remember to turn on soft delete for file shares ad mention the number of days

Create a file share

Create required file shares where the profiles are going to reside

Add Role assignment(IAM)

I have created two groups one for Administrator and one for users. Next we need to Add a new role assignment on the file share for administrator

The shared folder admins will need Storage File Data SMB Elevated Contributor rights

I have assigned this to GEEKBLOGADMIN group

WVD users will need Storage File SMB Share Contributor rights

I have created a group GEEKBLOGUSERS and assigned.

Domain Join the storage account

To enable AD DS authentication over SMB for Azure file shares, we need to register storage account with AD DS and then set the required domain properties on the storage account.

Below are the requirements for domain Joining

  • Access to internet and PowerShell execution from a domain joined machine with admin privileges on the machine
  • Download the  AzFilesHybrid PowerShell module from here and extract to C:\AzfilesHybrid
  • Access to subscription preferably owner privileges on the subscription or GA

Run this commands in PowerShell admin mode

Set-ExecutionPolicy -ExecutionPolicy Unrestricted
Install-PackageProvider -Name NuGet -Force
cd C:\AzFilesHybrid
Import-Module -Name .\AzFilesHybrid.psd1

Connect-AzAccount

If you have multiple subscription choose the desired subscription and then run the below command.. Replace the highlighted value

join-AzStorageaccountForAuth -ResourceGroupName “MSDNLABRG” -Name “stomsdnwvdlab” -DomainAccountType “ComputerAccount” -OrganizationalUnitDistinguishedName “OU=Storage,DC=azurelab,DC=com

you should see a below message if it ran successfully,

To confirm if the storage account has been added check the objects in AD

Set NTFS permission

Copy the URL from the created fileshare and remove https:// and replace with \\

Access the UNC path from a machine where you have allowed access in the firewall section and make sure the below permissions are applied and others are removed.

Set at least the below minimum privileges

UsersThis Folder OnlyModify
Creator / OwnerSubfolders and Files OnlyModify
Administrator (optional)This Folder, Subfolders, and FilesFull Control