Share via

How to use FSLogix with Entra ID joined machines

JohnSebastian-3934 441 Reputation points
2025-04-15T21:43:09.93+00:00

All,

Previously we used Azure Virtual Desktop with Entra ID Domain Services joined VMs. Users would log in using their Entra ID account and password and the Microsoft Authenticator for MFA.

We now have a need to support Certificate Based Authentication (CBA) in Azure Virtual Desktop. As I understand it, Entra ID Domain Services joined VMs do not support CBA. Instead the machines need to be Entra ID joined.

This introduces a real headache for us since all of our Azure Windows VMs are joined to our Entra ID Domain Services and we use Group Policy to manage them. What are people doing to push policies out to hosts in AVD host pools when the hosts are only Entra ID joined instead of Entra ID Domain Services joined?

Second question is about FSLogix which is what we currently use with our Entra ID Domain Services joined VMs. the VHDLocations registry entry on each of the domain joined hostpool VMs points to an Azure Files location in Azure Storage. Is this still feasible with Entra ID joined hostpool VMs? Is there any difference in what the username profile would be for an Entra ID joined hostpool compared to an Entra ID Domain Joined hostpool VM?

Any help is greatly appreciated. I've never had to manage machines that are only Entra ID joined

Azure Virtual Desktop
Azure Virtual Desktop
A Microsoft desktop and app virtualization service that runs on Azure. Previously known as Windows Virtual Desktop.
1,756 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Marcin Policht 44,360 Reputation points MVP
    2025-04-15T22:07:04.6+00:00

    When you move to Entra ID joined AVD VMs, you can no longer use GPOs because they rely on Active Directory or Entra Domain Services. Instead, organizations typically shift to Microsoft Intune (Endpoint Manager) for policy management. Microsoft Intune supports:

    • Device configuration profiles (security baselines, settings, etc.)
    • PowerShell script deployment
    • App installation (Win32, Store, etc.)
    • Conditional access and compliance policies

    You might consider combining baseline images or Azure Image Builder (to pre-bake certain policies and local GPO settings into the image used for AVD VMs) with custom scripts, but obviously this increases the management/maintenance overhead.

    Regarding your second question, as per https://learn.microsoft.com/en-us/azure/storage/files/storage-files-identity-auth-hybrid-identities-enable?tabs=azure-portal%2Cintune, Microsoft Entra Kerberos authentication for Azure Files (used by FSLogix) for cloud-only Entra ID users is not supported.

    If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

    hth

    Marcin

    1 person found this answer helpful.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.