How to Use Azure Files with Entra ID Joined Method for AVD

How to Use Azure Files with Entra ID Joined Method for AVD

This is a workaround until Microsoft fully supports Entra ID with Kerberos. Instead of using Azure Blob Storage, Azure Files Premium can run much faster and supports backups in Nerdio Manager.

Note: If you are running Windows 11, and you use this method, we have seen issues where Credential Guard removes the StorageAccountKey from Windows Credentials. See this Microsoft article for more details: Credential Guard overview - Windows Security | Microsoft Learn.

Create the Required Azure Resources

The first step is to create the required Azure resources. This includes a storage account and a file share in the storage account.

To create the required Azure resources:

  1. In the Azure portal, navigate to Storage accounts.

  2. Select + Create.

  3. Enter the following information:

    • Subscription - Resource Group: From the drop-down lists, select the desired subscription and resource group.

    • Storage account name: Type the name of the storage account.

    • Region: From the drop-down list, select the region.

    • Performance: Select Premium.

    • Premium account type: From the drop-down list, select File shares.

    • Redundancy: From the drop-down list, select the desired redundancy level.

  4. Once you have entered all the desired information, select Review and then Create.

  5. Once the storage account is created, navigate into the storage account.

  6. On the blade on the left side, in the Data storage section, select File shares.

  7. Select + File share.

  8. Enter the following information:

    • Name: Type the name of the file share.

    • Provisioned capacity: Type 100.

    • Protocol: Select SMB.

  9. Once you have entered all the desired information, select Create.

  10. Record the UNC path of the new file share. For example, \\[[STORAGEACCOUNTFQDN]\[FILESHARE].

  11. On the blade on the left side, in the Security + networking section, select Access keys.

  12. Copy the Key for Key1 to Notepad.

Create a Scripted Action in Nerdio Manager

The next step is to create a scripted action for Entra ID Join Windows credential manager.

To create the scripted action:

  1. In Nerdio Manager, at the Account level, navigate to Scripted ActionsWindows scripts.

  2. Select Add scripted action.

  3. Enter the following information:

    • Name: Type AADJWindowsCredentialManager.

    • Description: Type the script's description.

    • Tags: From the drop-down list, select optional tags for the script. These tags are used for searching and organization.

    • Script Execution Mode: From the drop-down list, select Individual with restart.

    • Script: Paste the following into the script.

      cmdkey.exe /add:[[STOREAGE ACCOUNT FQDN]] /user:localhost\[[STORAGE ACCOUNT NAME]] /pass:[[STORAGE ACOUNT KEY]]

      # Check if the key exists
      if (-not(Test-Path "HKLM:\Software\Policies\Microsoft\AzureADAccount")) {

      # Create the key if it doesn't exist

      New-Item -Path "HKLM:\Software\Policies\Microsoft\AzureADAccount" -Force
      }

      # Add or modify the property

      New-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\AzureADAccount" -Name "LoadCredKeyFromProfile" -Value 1 -Type DWord -Force

      For example:

      cmdkey.exe /add:aadjazfileswinhart.file.core.windows.net /user:localhost\aadjazfileswinhart /pass:h/0xqVkR6V5KaJNoFWEYCXSwP5kXjXLcTXViWrbFqfskMLvmlizotlBRLFw+f6HEupw5cKw0IKvV+AStMO632Q==

      # Check if the key exists

      if (-not(Test-Path "HKLM:\Software\Policies\Microsoft\AzureADAccount")) {

      # Create the key if it doesn't exist

      New-Item -Path "HKLM:\Software\Policies\Microsoft\AzureADAccount" -Force
      }

      # Add or modify the property

      New-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\AzureADAccount" -Name "LoadCredKeyFromProfile" -Value 1 -Type DWord -Force

  4. Once you have entered all the desired information, select OK.

Configure the Host Pools in Nerdio Manager

The next step is to configure the host pools. This includes the FSLogix and VM Deployment settings.

To configure the host pools:

  1. In Nerdio Manager, at the Account level, navigate to AVDHost Pools.

  2. Locate the host pool you wish to work with.

  3. From the action menu, select Properties > FSLogix.

  4. Enter the following information:

    • FSLogix Profiles path: Type the UNC path for the file share \\[[STORAGEACCOUNTFQDN]\[FILESHARE] that you previously recorded.

      Note: For example, \\aadjazfileswinhart.file.core.windows.net\profiles

    • FSLogix Registry Options: Add "AccessNetworkAsComputerObject"=dword:1.

  5. Once you have entered all the desired information, select Save.

  6. Navigate to the VM Deployment tab.

  7. In the Scripted Actions section, enter the following information:

    • Run Scripted actions when host VM is CREATED / Run Scripted actions when host VM is STARTED: Toggle on these options.

    • Windows scripts: From the drop-down list, select AADJWindowsCredentialManager.

  8. Once you have entered all the desired information, select Save or Save & close.

Was this article helpful?

0 out of 0 found this helpful
Have more questions? Submit a request

Comments (0 comments)

Article is closed for comments.