I saw THIS Azure Academy video on setting-up 100% cloud AVD desktops with Azure Files + Azure AD. It is based on THIS blog post that walks through the steps as well.
I know it's not Microsoft supported or production environment ready, but I'm excited to try it out. However, I'm not able to get it working with Nerdio or Native AVD.
Has anyone been able to get this working?
The issue is with the identities.
The device can be AAD, The device can have no line of site to another server, and the user can sign in using their cloud identity/credentials; BUT the user identity must be hybrid so a DC is needed for the azure file share to run kerbos authentication against.
That being said, work around...
Set the local group policy or registry keys as you normally would, pointing to the file share
The necessary setting is the access network as computer.
The key to get it to work is a startup script that mounts the share in system context
net use U: \\demostorage.file.core.windows.net\fslogix /u:demostorage XvUDm3ramwSPKK6E/dZcV+vzsYgRp0JtyspsJ9XmTIWqcLazhhXgBM1NEHnia+clFox18XTKjyjG+AStTEcrBA==
This will let the system utilize the storage account key so when the user connects it will use that instead of device authentication against the file share.
All users will have a U Drive at this point.
Mapping without the drive letter does not work for some reason.
Should be able to hide the U Drive and call it good
AAD only, no other server
I did give storage file smb elevated contributor to server device, server service principal, and the user. I dont believe 2 of those are needed.
Thanks, Tomas.
We've been testing Kerberos Auth for AVD as well but found the same limitation (which makes sense with how Kerberos works) where it will only work with hybrid user.
Luckily, we were able to get 100% Cloud AVDs working! (And now have two different ways to accomplish it 😁)
The problem was I was trying to apply the configurations from a user context instead of running it in a system context. Oops.
If we run the Script from the Azure Portal Run Command blade of the VM (or with a tricky scripted action using Nerdio Secure Variables (screenshot below)), we were able to login with a cloud-only account and the user VHDX was created successfully!
The only other configuration we needed to do for the cloud only environment was add another registry key
(reg add HKLM\Software\Policies\Microsoft\AzureADAccount /v LoadCredKeyFromProfile /t REG_DWORD /d 1) (Details about the key are HERE) before users login otherwise their browser cookies/passwords in their AVD session are forgotten every time the host reboots. (See this forum post for more details)
However, because of the security concerns with implementing this kind of solution, we looked back at the Cloud Cache/Blob Storage method of configuring FSLogix to work with cloud-only accounts. Surprisingly, I'm glad to say that that works as well.
If you follow THIS Nerdio article for setting up FSLogix Profiles for AADJ Multi-User Host Pools with Azure Page Blobs, and run that same registry key ((reg add HKLM\Software\Policies\Microsoft\AzureADAccount /v LoadCredKeyFromProfile /t REG_DWORD /d 1) (Details about the key are HERE)) (we're doing this as a scripted action when deploying hosts), Cloud-only and Hybrid users are able to login to the Host Pool and have an FSLogix Profile!
Even though we won't be using the System FSLogix Configuration for any production environments, it was a good experience going down that path and learning more about how to leverage the Nerdio Secure Variables. 🙂
Scripted Action: System FSLogix Configuration for Cloud-Only Users
Just as an update on this, we recently saw Tony's How to Use Azure Files with AADJ Method for AVD – Nerdio Help Center article and tried to get it to work with the scripted action.
We got it to work but needed to make some changes to the script above with the items below:
Please sign in to leave a comment.
Comments (3 comments)