This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(38.4, 39%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDS%3C/text%3E%3C/svg%3E)
My goal is to use a share in Azure Files to house the FSLogix profiles for users in a Windows Virtual Desktop (WVD) environment that is part of an Azure Active Directory Domain Services (AADDS) domain.
I am following instructions at https://learn.microsoft.com/en-us/azure/virtual-desktop/create-profile-container-adds.
There are two places to set permissions to the fileshare -- within the Azure portal and at the virtual machine level. In the Azure portal, you assign permissions to an Azure ID identity. At the VM level, you assign permissions to an Active Directory object that exists within the AADDS domain.
If you want to assign these permissions at the user level, there doesn't seem to be a problem. But I want to assign permissions at a group level, and I'm getting stuck. As far as I can tell, in the Azure portal you can only assign permissions to Security groups, not to Microsoft 365 groups. (When I go to the Role Assignments page and click Add, my Microsoft 365 groups do not appear.) But at the VM/domain level, you can only assign permissions to objects with an email address. Microsoft 365 groups have an e-mail address, but Security groups in Azure do not.
Does this mean we have to maintain two groups for each set of WVD users with FSLogix profiles -- a matching pair of M365 and Security groups with the same membership?
The answer is that you don't need a Microsoft 365 group. An Azure AD security group will be fine. An e-mail address is NOT required. To assign the permissions to the AAD group, you simply reference the group name, which may have to be in quotes, for example:
icacls F: /grant "WVD Users":(M)
M365 groups are only meant to be used for collaboration (calender/email/teams/spo) and not for granting access to resources. Yes, you have to create security groups.
Hope this help.
Please 'Accept as answer' if it helped, so that it can help others in the community looking for help on similar topics.
Hello @David Schrag
I cannot make sure whether do we need two groups, this better to be confirmed with Fslogix support team.
The following is what I can find , hope give you a little help.
Microsoft 365 groups
Microsoft 365 groups are used for collaboration between users, both inside and outside your company. With each Microsoft 365 group, members get a group email and shared workspace for conversations, files, and calendar events, and a Planner.
You can add people from outside your organization to a group as long as this has been enabled by the administrator. You can also allow external senders to send email to the group email address.
Microsoft 365 groups can be configured for dynamic membership in Azure Active Directory, allowing group members to be added or removed automatically based on user attributes such as department, location, title, etc.
Microsoft 365 groups can be accessed through mobile apps such as Outlook for iOS and Outlook for Android.
Group members can send as or send on behalf of the group email address if this has been enabled by the administrator.
Security groups
Security groups are used for granting access to Microsoft 365 resources, such as SharePoint. They can make administration easier because you need only administer the group rather than adding users to each resource individually.
Security groups can contain users or devices. Creating a security group for devices can be used with mobile device management services, such as Intune.
Security groups can be configured for dynamic membership in Azure Active Directory, allowing group members or devices to be added or removed automatically based on user attributes such as department, location, or title; or device attributes such as operating system version
Have a great day!
Best Regards
Karlie
----------
If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
OK, I have posted this question to https://techcommunity.microsoft.com/t5/windows-virtual-desktop/assigning-permissions-when-using-azure-files-for-fslogix/m-p/2193618.
If you have following subscriptions still included in the Microsoft Support Lifecycle.
Why not open a request directly ?
Azure customers can open FSLogix support requests from:
Window Virtual Desktop (WVD): https://portal.azure.com/ - Help + support - New support request - Issue type: Technical \ Service: Windows Virtual Desktop \ Problem Type: FSLogix
Premier customers can open FSLogix support requests from:
Windows 10: https://serviceshub.microsoft.com/ Azure\ FSLogix
Windows Server: https://serviceshub.microsoft.com/ Azure \ FSLogix
Windows customers can open FSLogix support requests from:
Windows 10: https://support.serviceshub.microsoft.com/supportforbusiness/create Azure \ FSLogix
Windows Server: https://support.serviceshub.microsoft.com/supportforbusiness/create Azure \ FSLogix
For customers with still current FSLogix support agreements please email your information to: FSLLicenseSupport@microsoft.com. We will respond as soon as we can and create a case as appropriate.