This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 47%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMN%3C/text%3E%3C/svg%3E)
Hi all, I have a client which does not have ANY on-prem AD (only local users on workgroup devices). They wish to implement Azure Virtual Desktop (AVD) with FSLogix functionality. According to this article, Clients must be Microsoft Entra joined or Microsoft Entra hybrid joined. Microsoft Entra Kerberos isn’t supported on clients joined to Microsoft Entra Domain Services or joined to AD only.
This feature doesn't currently support user accounts that you create and manage solely in Microsoft Entra ID. User accounts must be hybrid user identities, which means you'll also need AD DS and either Microsoft Entra Connect or Microsoft Entra Connect cloud sync.
I have understood that it is not possible to use Azure AD DS (Entra ID DS) without hybrid joined for FSLogix due to missing Entra Kerberos support.
I would like to understand if I can implement a cloud-only AVD with FSLogix with any combination of cloud services (i.e. Active Directory AD in Azure VM, Azure AD DS, Azure AD joined...) to achieve FSLogix functionality, or is there a hard requirement to have an on-prem hybrid joined devices and hybrid users to employ this functionality ? I am aware of the "hacks" with Fslogix cloud cache or storing storage account credentials in Windows clients, but I want solely an official supported route.
Would it be possible to build a new AD domain solely in Azure VM and then AD Connect sync the users to Azure AD? is this even supported? Many thanks.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(172.8, 28.999999999999996%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EZ%3C/text%3E%3C/svg%3E)
Did you manage to get this working without the "hacks" found online?
I'm looking to do the same, setup AVD with FSLogix and using only Entra ID, with no domain services.
Hi @Michael Novak , Azure AVD and FSLogix are supporting an Azure Entra ID cloud-only environment:
FSLogix profile containers for Azure AD cloud only identities
(If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)
Regards
Andreas Baumgarten
Thank you for your answer. Here's a post, where a person tried to do the exact same thing I'm trying to do and someone from MS suggests that it is NOT supported, therefore I am even more confused:
https://learn.microsoft.com/en-us/answers/questions/1182008/azure-ad-kerberos-fslogix
Namely: Clients must be Microsoft Entra joined or Microsoft Entra hybrid joined. Microsoft Entra Kerberos isn’t supported on clients joined to Microsoft Entra Domain Services or joined to AD only.
Hello Michael Novak
Welcome to Microsoft Q&A Platform, thanks for posting your query here.
I checked with internal team on this, feature to bring cloud identity support to FSLogix profile containers is planned and there is not ETA on this that can be shared now.
As you mentioned the alternative is with a hybrid identity as documented, or the workarounds you referred.
Hope that clarifies.