Create a profile container with Azure Files and Microsoft Entra ID

In this article, you'll learn how to create and configure an Azure Files share for Microsoft Entra Kerberos authentication. This configuration allows you to store FSLogix profiles that can be accessed by hybrid user identities from Microsoft Entra joined or Microsoft Entra hybrid joined session hosts without requiring network line-of-sight to domain controllers. Microsoft Entra Kerberos enables Microsoft Entra ID to issue the necessary Kerberos tickets to access the file share with the industry-standard SMB protocol.

This feature is supported in the Azure cloud, Azure for US Government, and Azure operated by 21Vianet.

Prerequisites

Before deploying this solution, verify that your environment meets the requirements to configure Azure Files with Microsoft Entra Kerberos authentication.

When used for FSLogix profiles in Azure Virtual Desktop, the session hosts don't need to have network line-of-sight to the domain controller (DC). However, a system with network line-of-sight to the DC is required to configure the permissions on the Azure Files share.

Configure your Azure storage account and file share

To store your FSLogix profiles on an Azure file share:

1. Create an Azure Storage account if you don't already have one.

   Note

   Your Azure Storage account can't authenticate with both Microsoft Entra ID and a second method like Active Directory Domain Services (AD DS) or Microsoft Entra Domain Services. You can only use one authentication method.

2. Create an Azure Files share under your storage account to store your FSLogix profiles if you haven't already.

3. Enable Microsoft Entra Kerberos authentication on Azure Files to enable access from Microsoft Entra joined VMs.

   • When configuring the directory and file-level permissions, review the recommended list of permissions for FSLogix profiles at Configure the storage permissions for profile containers.
   • Without proper directory-level permissions in place, a user can delete the user profile or access the personal information of a different user. It's important to make sure users have proper permissions to prevent accidental deletion from happening.

Configure the session hosts

To access Azure file shares from a Microsoft Entra joined VM for FSLogix profiles, you must configure the session hosts. To configure session hosts:

1. Enable the Microsoft Entra Kerberos functionality using one of the following methods.

   • Configure this Intune Policy CSP and apply it to the session host: Kerberos/CloudKerberosTicketRetrievalEnabled.

     Note

     Windows multi-session client operating systems don't support Policy CSP as they only support the settings catalog, so you'll need to use one of the other methods. Learn more at Using Azure Virtual Desktop multi-session with Intune.

   • Enable this Group policy on session hosts. The path will be one of the following, depending on the version of Windows you use on your session hosts:

     • Administrative Templates\System\Kerberos\Allow retrieving the cloud kerberos ticket during the logon
     • Administrative Templates\System\Kerberos\Allow retrieving the Azure AD Kerberos Ticket Granting Ticket during logon
   • • Create the following registry value on the session host: reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters /v CloudKerberosTicketRetrievalEnabled /t REG_DWORD /d 1

2. When you use Microsoft Entra ID with a roaming profile solution like FSLogix, the credential keys in Credential Manager must belong to the profile that's currently loading. This will let you load your profile on many different VMs instead of being limited to just one. To enable this setting, create a new registry value by running the following command:

   reg add HKLM\Software\Policies\Microsoft\AzureADAccount /v LoadCredKeyFromProfile /t REG_DWORD /d 1
   

Note

The session hosts don't need network line-of-sight to the domain controller.

Configure FSLogix on the session host

This section will show you how to configure a VM with FSLogix. You'll need to follow these instructions every time you configure a session host. There are several options available that ensure the registry keys are set on all session hosts. You can set these options in an image or configure a group policy.

To configure FSLogix:

1. Update or install FSLogix on your session host, if needed.

   Note

   If the session host is created using the Azure Virtual Desktop service, FSLogix should already be pre-installed.

2. Follow the instructions in Configure profile container registry settings to create the Enabled and VHDLocations registry values. Set the value of VHDLocations to \\<Storage-account-name>.file.core.windows.net\<file-share-name>.

Test your deployment

Once you've installed and configured FSLogix, you can test your deployment by signing in with a user account that's been assigned to an application group on the host pool. The user account you sign in with must have permission to use the file share.

If the user has signed in before, they'll have an existing local profile that the service will use during this session. To avoid creating a local profile, either create a new user account to use for tests or use the configuration methods described in Tutorial: Configure profile container to redirect user profiles to enable the DeleteLocalProfileWhenVHDShouldApply setting.

Finally, verify the profile created in Azure Files after the user has successfully signed in:

1. Open the Azure portal and sign in with an administrative account.

2. From the sidebar, select Storage accounts.

3. Select the storage account you configured for your session host pool.

4. From the sidebar, select File shares.

5. Select the file share you configured to store the profiles.

6. If everything's set up correctly, you should see a directory with a name that's formatted like this: <user SID>_<username>.

Next steps

• To troubleshoot FSLogix, see this troubleshooting guide.