Configure FSLogix profile storage using Entra ID-joined Azure Files shares
Azure Files provides a reliable and cost-effective solution for FSLogix profile container storage, with the recommended Premium-tier Azure Files shares backed by solid-state drives (SSDs) and providing low latency for input and output (IO)-intensive workloads.
This article guides you through the process of configuring Azure Files storage to allow FSLogix profiles to be accessed by users authenticated by cloud-only Entra ID identities, authenticated via Microsoft Entra Kerberos.
Notes:
Storing FSLogix profile containers for cloud-only or external identities is currently in preview. See the Microsoft Learn article Store FSLogix profile containers on Azure Files using Microsoft Entra ID for details.
This method supersedes a previous workaround for using Azure Files storage for FSLogix with cloud-only Entra ID authentication, accomplished using blob storage. The blob storage workaround is now considered deprecated, and we recommend this method exclusively for configuring Entra-joined FSLogix profile storage.
This method does not currently support Multi-Factor Authentication (MFA).
The tasks in this procedure are performed at the Account level.
Prerequisites
System/environment requirements
The target environment must meet the following requirements to configure Entra ID-joined FSLogix storage using this method:
The tenant must be in the public cloud; Government editions are not currently supported.
Any device on which the Entra ID-joined profiles are to be used must have Windows 11 24H2 or later with 2025-09 Cumulative Updates for Windows 11 (KB5065789) or later installed.
Role-based access control (RBAC) and permissions
Performing the tasks in this procedure requires the following access in Nerdio Manager and Microsoft Azure:
Nerdio Manager roles
The following Nerdio Manager roles allow you to carry out the tasks in this procedure:
- Users with the Account Admin role can configure Entra-joined Azure Files storage for FSLogix profiles on their own account.
- Users with the MSP Admin role can configure Entra-joined Azure Files storage for FSLogix profiles on any managed customer account.
Nerdio Manager custom RBAC role definitions
Following the Principle of Least Privilege (PoLP), you can define a Nerdio Manager custom role with the permissions Accounts.AzureFiles.* and Accounts.FslogixApps.* to carry out the tasks in this procedure.
Azure built-in roles
Following the Principle of Least Privilege (PoLP), the tasks in this procedure require the following Azure built-in roles:
Role |
Description |
Purpose |
|---|---|---|
Create and manage storage accounts. |
Required to authenticate with Entra ID in the customer tenant and join the storage account to Entra ID. |
|
Manage Conditional Access capabilities |
Required to exclude the storage account from any Conditional Access Policies that require MFA. |
Preparatory steps
Before you can configure FSLogix to use Entra-joined Azure Files storage for users authenticated by cloud-only Entra ID identities, you first need an Entra ID-joined Azure Files share. You can use an existing share provided it was created with an Entra ID directory join type, or create a new one in Nerdio Manager. After creating a new share, you need to manually authenticate with Entra ID to complete the directory join.
To create a new Entra ID-joined Azure Files share:
At the Account level, navigate to Azure Files.
Select Add Azure Files.
-
Enter the following information:
Storage Account: From the drop-down list, select a storage account to use for the share.
-
Performance: From the drop-down list, select a performance tier for the share.
Important: We strongly recommend that you select Premium for the best user experience.
-
Redundancy: From the drop-down list, select the redundancy model you want to use for the share:
Locally redundant storage (LRS) copies your data synchronously three times within a single physical location in the primary region. LRS is the least expensive replication option, but isn't recommended for environments requiring high availability or durability.
Zone redundant storage (ZRS) copies your data synchronously across three Azure availability zones in the primary region.
For Azure File Share with the Premium performance tier, only locally-redundant storage (LRS) and zone redundant storage(ZRS) options are available.
File Share Name: Type a name for the share.
Provisioned Capacity (GiB): Type the size of the provisioned capacity.
-
Permissions (SMB Share Contributors): Specify users/groups and/or security groups to have Storage File Data SMB Share Contributor role on the share.
Important: This is required for read/write access to the share.
Add users / groups from host pools: From the drop-down list, select one or more users/groups currently assigned to these host pools to be given Storage File Data SMB Share Contributor role on the share.
-
Join to AD: To join the share to Entra ID,
Check the Join to AD box
From the drop-down list, select an Entra ID profile to join.
Notes:
Joining the storage account to Entra ID creates a temporary VM and uses the profile credentials to add the storage account as a Computer object in Entra.
Joining the storage account to Entra ID uses Entra ID Kerberos authentication. This configuration allows you to store FSLogix profiles that can be accessed by user identities from Entra ID-joined session hosts without requiring network line-of-sight to domain controllers. Entra ID Kerberos enables Entra ID to issue the necessary Kerberos tickets to access the file share with the industry-standard SMB protocol.
-
Enable SMB Multichannel: Select this option to improve the Azure Files Premium performance.
Note: Azure Files SMB Multichannel enables clients to use multiple network connections that provide increased performance. Increased performance is achieved through bandwidth aggregation over multiple NICs and utilizing Receive Side Scaling (RSS) support for NICs to distribute the IO load across multiple CPUs.
Select OK to create the share and exit the dialog.
To complete the Entra ID directory join:
-
Once you've created the Azure Files share, locate the share in the Azure Files Shares table.
Tip: If you have a long list of shares, use the search box at the top of the page to search for your Azure Files share by name.
In the Storage Account column, you'll see a warning
icon next to the text Entra ID joined, indicating that you need to grant admin consent to complete Microsoft Entra joining. Select the icon.
Authenticate and grant consent using the credentials of an administrator in the customer account tenant.
Associate an FSLogix configuration profile with an Entra ID-joined Azure Files share
Before you can use your Azure Files share with FSLogix, you need to associate it with an FSLogix storage configuration profile.
To associate your Entra ID-joined Azure Files share with an FSLogix configuration profile:
At the Account level, navigate to Settings > Integrations, and locate the FSLogix Profiles storage tile.
-
To create a new configuration profile, select Add, or to edit an existing profile, select the name of the profile you want to edit.
Notes:
Changes to existing profiles will apply only to newly created or re-imaged hosts.
For a breakdown of all the available settings for FSLogix configuration profiles, see FSLogix Settings and Configuration.
Check the Configure session hosts registry for Microsoft Entra Joined storage box.
In the FSLogix Profiles path (VHDLocation) dropdown, select your Entra ID-joined Azure Files share.
Select OK to save your changes and exit the configuration dialog.
Optionally, select the set default option for the profile you just configured to ensure that it is used by default for future host pool provisioning.
Need help?
Raise a support ticket for this item.
Comments (0 comments)