In this post I have tried to capture all the steps while creating Azure File shares for WVD deployment and real time challenges, Please refer to the quoted messages in this post.
Azure file shares are deployed into storage accounts, Azure supports multiple types of storage accounts for different storage scenarios, but there are two main types of storage accounts for Azure Files.
Which storage account type you need to create depends on whether you want to create a standard file share or a premium file share.
I chose premium file share in this walkthrough as shown below
Remember to create the storage account name less than 15 characters or depending on your domain naming policies
Azure Files provides two main types of endpoints for accessing Azure file shares:
- Public endpoints, which have a public IP address and can be accessed from anywhere in the world.
- Private endpoints, which exist within a virtual network and have a private IP address from within the address space of that virtual network.
We need to create a private end point in our deployment, Which will allow access to the fileshares only from the desired subnet. Follow the steps below to add a private endpoint
Select the desired Vnet and subnet from where this file share should be accessible, Private DNS is a optional settings, If you wish you can enable the same.
Remember to turn on soft delete for file shares ad mention the number of days
Create a file share
Create required file shares where the profiles are going to reside
Add Role assignment(IAM)
I have created two groups one for Administrator and one for users. Next we need to Add a new role assignment on the file share for administrator
The shared folder admins will need Storage File Data SMB Elevated Contributor rightsI have assigned this to GEEKBLOGADMIN group
WVD users will need Storage File SMB Share Contributor rightsI have created a group GEEKBLOGUSERS and assigned.
Domain Join the storage account
To enable AD DS authentication over SMB for Azure file shares, we need to register storage account with AD DS and then set the required domain properties on the storage account.
Below are the requirements for domain Joining
- Access to internet and PowerShell execution from a domain joined machine with admin privileges on the machine
- Download the AzFilesHybrid PowerShell module from here and extract to C:\AzfilesHybrid
- Access to subscription preferably owner privileges on the subscription or GA
Run this commands in PowerShell admin mode
Set-ExecutionPolicy -ExecutionPolicy Unrestricted
Install-PackageProvider -Name NuGet -Force
Import-Module -Name .\AzFilesHybrid.psd1
If you have multiple subscription choose the desired subscription and then run the below command.. Replace the highlighted value
join-AzStorageaccountForAuth -ResourceGroupName “MSDNLABRG” -Name “stomsdnwvdlab” -DomainAccountType “ComputerAccount” -OrganizationalUnitDistinguishedName “OU=Storage,DC=azurelab,DC=com“
you should see a below message if it ran successfully,
To confirm if the storage account has been added check the objects in AD
Set NTFS permission
Copy the URL from the created fileshare and remove https:// and replace with \\
Access the UNC path from a machine where you have allowed access in the firewall section and make sure the below permissions are applied and others are removed.
Set at least the below minimum privileges
|Users||This Folder Only||Modify|
|Creator / Owner||Subfolders and Files Only||Modify|
|Administrator (optional)||This Folder, Subfolders, and Files||Full Control|