Hi we're in process of trying to set up an AVD environment where users connect to VMs with AAD credentials, with profiles provided by FSlogix. Everything is in place and we've followed the MS guide and subguides: https://learn.microsoft.com/en-us/azure/virtual-desktop/deploy-azure-ad-joined-vm. We can map the share fine using the storage account key, but when we try to access it with our AAD credentials we receive a generic incorrect username or password error. All the user we're trying to connect with are hybrid users identities imported from AD to AAD.
Things we've done / tried:
- Created storage account v2 in UK South, default settings for everything
- Created generic 'profiles' file share, default settings for everything
- Configured Azure AD Kerberos on the storage account, added in the optional domain name and GUID
- Given the service principal admin consent in the API permissions section
- There is no MFA policy applied, but we've disabled AAD security defaults
- Assigned Storage File Data SMB Share Contributor to relevant users, also tried Elevated Contributor
- Mapped the drive with net-use with the storage key and given relevant users full permissions to the file share, on separate attempts we've also done the same with icacls
- Setup and confirmed that port 445 is unblocked
- The machines we're using for testing with exist in AD in an OU where no GPOs are applied
- We've also done all the setup for fslogix, but we can't get that far yet.
As far as we can tell, we haven't missed anything and our setup should support this configuration, any advice would be greatly appreciated.