Assigning permissions when using Azure Files for FSLogix Profiles in WVD

Question

My goal is to use a share in Azure Files to house the FSLogix profiles for users in a Windows Virtual Desktop (WVD) environment that is part of an Azure Active Directory Domain Services (AADDS) domain.

I am following instructions at https://learn.microsoft.com/en-us/azure/virtual-desktop/create-profile-container-adds.

There are two places to set permissions to the fileshare -- within the Azure portal and at the virtual machine level. In the Azure portal, you assign permissions to an Azure ID identity. At the VM level, you assign permissions to an Active Directory object that exists within the AADDS domain.

If you want to assign these permissions at the user level, there doesn't seem to be a problem. But I want to assign permissions at a group level, and I'm getting stuck. As far as I can tell, in the Azure portal you can only assign permissions to Security groups, not to Microsoft 365 groups. (When I go to the Role Assignments page and click Add, my Microsoft 365 groups do not appear.) But at the VM/domain level, you can only assign permissions to objects with an email address. Microsoft 365 groups have an e-mail address, but Security groups in Azure do not.

Does this mean we have to maintain two groups for each set of WVD users with FSLogix profiles -- a matching pair of M365 and Security groups with the same membership?

Answer 1

The answer is that you don't need a Microsoft 365 group. An Azure AD security group will be fine. An e-mail address is NOT required. To assign the permissions to the AAD group, you simply reference the group name, which may have to be in quotes, for example:

icacls F: /grant "WVD Users":(M)

Answer 2

Yes, I can (and will) open a request directly, but I prefer to share knowledge like this with the broader community.