AzureFiles AD Auth & FSLogix | Windows Virtual Desktop - #02

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

if you're serious about working with Windows virtual desktop in Azure then you really need to consider FSLogix. FSLogix is a set of solutions that can enhance your ability to handle your VMs by specifically separating your user profiles or your office profiles from the VM itself so that way your users especially in a non persistent environment and move around from VM to VM but carry their user experience with them but up until now when you wanted to implement this in Azure you had a couple options you could use NetApp files or you could build out your own file server with something like storage spaces direct or you could use the azure storage accounts by leveraging blob storage and finally you could have used as your files with Azure Active Directory domain services and we have done a video on that as well and I've got that linked up here on the top right if you're interested in that go check that out but today we're looking at how we can implement FSLogix with a new twist now things as you know are constantly being improved in Azure and one of those things that the Microsoft storage product team has been working on for a while is to enable Active Directory authentication or those azure file shares so for the next few minutes we're gonna dig into this new feature of Azure files and then we're going to leverage it or FSLogix with Windows virtual desktop I'm Dean Cefola and this is the Azure Academy so we've got a lot to cover today so let's go right over to the Azure docks and the short link to get here again is a kms /as your docks and if it's been a while since you've looked at the docks you may notice that the interface here has been redesigned and so we've got some overview topics here the architecture Center as well as the cloud adoption framework and a link to Microsoft learn where you can also build your skills great content over there and then as we scroll down the page we've got these featured items like Linux and Windows virtual machines cognitive services functions aks and we are planning a new series on aks so subscribe so you don't miss that and then down the left side of the screen we've got the table of contents where you can browse by all of our different products and then at the bottom here we have different languages and tools that you can use as well as links for the sovereign clouds we'll scroll back up and go to our storage link and within storage again we have multiple options will be using file storage and over on the table of contents will go under how-to guides will go to secure then we'll scroll down here to enable Active Directory authentication and authorization so this is a brand new feature that's been enabled in the cloud again allowing us to use Active Directory instead of azure ad domain services to be able to work with Azure files now because the feature is in preview there are a few things that you just need to take note of here in this box the account that you're using must be one that is synced from Azure Active Directory using Azure ad Connect and we've done a video on as your ad connect if you miss that you can click on that up here and aside from that the other thing that I'll call out here in the prerequisites is that that as your active directory you're syncing with must also be directly associated with your Azure subscription now over on the right there is also a workflow overview and this is basically the process that we're going to go through today so you can read through that and there's some other code that's here in this doc that we're going to go back and reference so let's get right into it and at the top here we'll click to read a resource and at the bottom I'll click for a storage account and then we need to put this in a resource group and I'll set up a new one for this and we'll call it ADAuth-FSLogix-WVD and then we need a name for our storage account and we'll call it adfslogixwvd000 and I'll put this in the central us because according to the docks east us where I usually put stuff is not currently available for this feature we will choose our standard performance and if you need higher IOPS up to 100,000 you can choose premium I will be using a b2 storage account and locally redundant storage on a hot access tier and we'll hit next and it's or is where we could set up a private endpoint if you want to use that and we have a video on private endpoints but I'll just leave it for all and networks at this point and next and if you need larger file shares say up to 100TB and you can check this button here in this particular case though I don't need that so I'll just leave it disabled but I do want a secure transfer and so we'll hit next and then add our tags and we've added our cost Center so we know who's paying for this what application this is related to FSLogix in this case and the environment is my lab so we'll hit next and our validation looks good so you can download the arm template down here if you like and we'll hit create or a storage account is now set up and so if you look under configuration we have that flag here for the identity based access for file shares this is where you would turn on the Azure Active Directory domain services if you wanted to use that and you can see that we have here an active directory and you can click that link and go to our Docs and read about how authentication works to a storage account but we are going to go back to the docs here and click the link on the right to enable ad authentication for your account that we just created and we need to download a prerequisite here this is a PowerShell module that we're going to use to execute all the rest of the code on the page and you can see I've already downloaded this file from github and I'll just extract everything right to here and there's our files so let's take note of this directory and open PowerShell as an administrator and I've navigated already to that file location and now on the right on my script pane I will copy over the code that was in the azure documentation and now what we're gonna do is run the first command here which will set our execution policy so that we'll be able to run this script then we'll run the second command here which is one of the files that we downloaded and that's going to go and discover all of the files in that directory where we just downloaded the code and move them to the appropriate location and now we'll run the import for that new PowerShell module and that'll just take a moment and you've got to run these next two commands to connect to your Azure subscription so first you'll have to replace your subscription ID in this field and this can be found in either under any one of your resources you've got a subscription ID at the top here so just click the copy link I'll paste that in here and run these commands and log in ok so now I'm logged in and now I want to run this last file which is going to set up my storage account for Active Directory authentication so we've plugged in those variables and one thing to be aware of that is called out in the docs if you're putting it somewhere where there is a password reset policy then you will have to be aware of that and reset the password for the account otherwise you're going to lose access when that password expires now you can also add other parameters here so I'll add a switch here for the domain and we should be good to go so let's run this command and that has completed successfully and now when we look at my OU where I set this up I've got a new computer object and when we open that object up it's got a description here of computer account object for Azure storage account and it's lists my storage account name back in the azure portal if we look at our storage account configuration we can scroll down a little bit here Active Directory has been enabled and the domain that we are joined to is also listed here we just completed the section in a name ad authentication for your account and what we completed was step number two executing the ad enablement script now I want to make sure that you understand that if you have done that successfully and you are seeing that feature flag turned on this next section you can actually skip in the documentation and that's called out here in this note block so we can go right here to step number three confirm that this feature is enabled so we'll copy on this block and now we just need to update our variables here for our resource group name and our storage account name then we can run that command and then run our next two commands together and we see the ad feature flag has been turned on and we see our domain information back in the documentation we're ready to go to the next step which is assign access permissions to an identity and this is where we have to do two things we have to grant as your are back permissions and we also have to set up NTFS permissions for our shares go back in our storage account we'll go to access control and an access control will go to role assignments and we're going to add a role assignment and the role that we will select here is going to be the SMB file share or elevated contributor and that is again our admin account and there's my WVD admin so I'll save that and then we'll add another permission here and that'll be for the SMB file share contributor for my FSLogix users which are the users group wvd users and we'll save that and we can scroll down and see that yes those permissions are now successfully applied so now we need to do the NTFS side of the equation so we'll go back to the overview screen and open our file share and in our file share we'll click the connect button select the drive that we want to map to I'll pick the u-drive and then we can click the copy button here to take our code block to our system to complete the map I've pasted this into a notepad now this will work and certainly you can use that if you like I'm going to show you another method and this is where we will use the command net use declare our drive letter give it the path to the azure files share and then give it our and username and of course your third way to do it is through Windows itself and you would do that in Windows File Explorer you click to map a network drive that you are a drive letter and put in the path and then you would select the box here for connect using different credentials when you hit finish you'll be prompted this needs to be the storage account name and the format for that would be a sure slash the storage account name and the password would be the storage account e will hit OK for that so now that our drive is mapped we'll test it here by just creating a folder real quick and then if we go back to asher and we'll close our little connect window and hit refresh and there is our WVD folder and just to make sure we can see stuff the other direction we'll remove that directory and then it is gone from our map drive so now that we've got this drive mapped we have to set the NTFS permission so we'll right click on the drive and go to properties and we'll go to the security tab and we'll press edit so what we want to do here is click Add and if all goes well in the from this location box you should see your domain name if instead you see the azure storage account name then the permissions have not worked quite as they should but not to worry there is a workaround you can actually just do this from a command line interface and give it the drive letter with the slash grant permission and then you put in the user name that you want to grant access to or the group and you would do that by domain backslash group name and then both of them should end with the colon and then a F in the parentheses like you see here if the prior step in our code here had been done to see that the storage account was associated with the domain you won't have this problem but just in case you do there's a workaround for you but since my environment is working just fine I'm going to put in my users and I'm gonna check my name so we'll select those and hit OK and now I'll grant my wvd admin full control on the share and the wvd users will need modify permissions and we'll hit apply and ok what we should be able to do now is go to any other VM that's in environment and we should be able to log on with a user that's a member of that wvd users group we should be able to map the share without entering credentials I've logged on to a different VM in my environment with the account Superman I can just go to my address bar now and should be able to go right to that share without credentials and there we go and now we're ready to set up FSLogix so there's one optional step that I'll show you as we're working with this but to do that we're going to need DFS so we have done a video covering DFS and I'll link that in the top here basically we have to set up a namespace which I have already done and then once you have your namespace set up then you can right click and add a new folder and give that folder a name I'll call mine FSLogix and then we'll click Add for a folder target and here you can add your Azure file share and again that is \\<storageAccount>\file.core.windows.net\ whatever your share name is and then hit OK and then hit OK to complete that process and there it is so now if I go to my DFS and I have that map to my Z Drive then I can go right into FSLogix and then I can create a new folder in here call it DFS which then shows up right in the azure portal a so just an optional step that you can do if you want to hide that particular namespace certainly not a requirement for FSLogix but because it is applicable to the new storage account authentication thought I'd put it out there and then I want to take you out to one other link and that would be https://aka.ms/FSLogix & that'll take you to the main FSLogix documentation page under the how-to guides we'll click this first link to install the FSLogix agent and this is where you can download the agent from and I'll have this linked in the video description so that you can find that easily I've logged on to one of my wvd session hosts now and I have downloaded the latest agent so I'll extract that and I'll just copy it down to my desktop and then we'll go into the x64 folder release and the FSLogix apps setup alright and the entire install is check the box and click install that took about one minute of real time but of course I spread that up in the video here I'll close out of that window now in order to set up FSLogix we have a registry key that we have to do so an H key local machine will go into software the FSLogix folder and we need to add a new registry key here I've already done that and exported it so I can reuse it across all of my systems so I'll just double click my exported registry file and hit run and then we'll add that to our system now I've added more than just the two required keys here although we do have enabled set to one and a VHD location pointing at my new FS logic share and these other entries that are here you can look in the docs to see if those are applicable to you and then one more thing we want to look at is under computer management and that's that include exclude group so if we go under groups here then we can set our include and exclude and this is important because as especially an administrator who needs to be on the system's but I don't want my profile in FSLogix I'm going to set myself to be excluded and I'll repeat that for the office and user profiles together and then on the include side by default we do have everyone so I'll remove that because I just want my wvd users group to be added for this and then I'll repeat that again for the profiles we've rebooted now and I've pulled up the task manager so you can see my admin account is the only one that is logged in no other user has been logged in yet on this machine so here's the web client and I'm logged in with the user Gomora let's login to WVD and provide my credentials and hit submit and we can CFSLogix is starting up for us and the first time you log in with any user even without FSLogix it does take longer because it has to create your entire profile and then FSLogix will of course store that wherever you're pointing your share and in our case that is as your files so if we pull up the task manager here and we'll go to the users we can see both of our users are logged in and back from my administrator login we can see amaura has successfully logged on and has the FS logic older or the profiles and you can tell that from the local underscore Gamora here also if we go to the disk management utility and we can see that Gamora 's profile is loaded on and that is from FSLogix because this is a VHD that is mounted onto the system and back from my DFS servers point of view if I go to the shared drive two FSLogix we've got our folders here for gamora's user profile and office profile and those are redirected out to Azure files to our file share the FSLogix folder and we can see gamora's directories are here as well so hope that you've enjoyed looking at this brand new feature that I know I've been waiting for for a long time and I'm super excited about this and the potential it's gonna have for Windows virtual desktop with FSLogix as well as other files share solutions so hit me up in the comments and tell me how you'll be using this new feature or how you're using FSLogix and if you thought this video was good please do click that thumbs up icon and while you're down there subscribe to the Azure Academy if you haven't done that already join us here at our community where we're all just trying to learn about Azure and help each other out and if you'd like to receive an email notifying you when our new videos come out which is roughly once a week you can click on the email notification as well so if you're looking for something more you can check out our latest video up here or one that's suggested just for you at the bottom and if you have any comments about our new look please feel free to share them with me I'm looking for feedback as always thanks for joining us and happy learning

Info

Channel: Azure Academy

Views: 25,690

Rating: 4.9352751 out of 5

Keywords: ADAuth, AzureFiles, FSLogix, fslogix profile containers, azure academy windows virtual desktop, windows virtual desktop azure, AD Auth, learn windows virtual desktop, azure academy, Microsoft Azure Academy, Azure virtual desktop, Azure Files, windows virtual desktop, Active Directory, yt:cc=on, Office365, Cloud Adoption Framework, Azure, AD, Azure training, Security, Storage, Active Directory Auth, WVD, Azure Storage, Azure Tips and Tricks

Id: 9S5A1IJqfOQ

Channel Id: undefined

Length: 18min 40sec (1120 seconds)

Published: Sun Mar 01 2020