Migrate FSLogix Profiles from one Storage Account to another (region or upgrade)

Avatar
Johnny Lambert

Hey Y'all

So I had an issue where I needed to setup a new host pool in another region for a client. I tried using the Azure Storage Explorer and copying the profile over, but it did not work for me, and the users could not see their old profiles. So I did a bunch of testing and I found this works, for me.

DISCLAIMER*: this is not to say Azure Storage Explorer, or anyone else is wrong. Simply this worked for me, and I want to share what I found. The reason for this, is that I have found conflicting articles on if Azure Storage Explorer copies SMB Permissions and using AZCOPY you can copy those permissions.

  1. prepare you new environment:
    I'm not going to go over all of this, since it is not the meat of this article, but here are the things you need to make sure of...
    1.1: Create your new network and make sure peering is setup properly (all of this can be done via Nerdio)
    1.2: Create a Storage Account in the region. Make sure you have proper rights to it (this is NOT the file share! Make sure the storage is create and then create the Azure File Share via Nerdio so it can join it to AD).
    1.3: make sure you clone your image over to the new region (This can be done all in Nerdio, this may take a while)
    1.4: Create your host pool in that region and make sure everything is working with a domain admin login.
  2. There is a setting in the file share that should be enabled for the testing phase of this. Go to the storage account then under DATA STORAGE > FILES SHARE click the 3 dots on the right of the file share and go to PROPERTIES.
    From there, under IDENTITY-BASED ACCESS, you should see the DIRECTORY SERVICE = a blue link that says CONFIGURED. Click on that
    Under STEP 2, PERMISSIONS FOR ALL AUTHENTICATED USERS AND GROUPS > DEFAULT SHARE-LEVEL PERMISSIONS = ENABLE... For the Role = Storage File Data SMB Share Contributor.
  3. Now go to any machine (does not need to be on the network) and download AZCOPY. as of writing this here is the link I used.
  4. I placed the unzipped AZCOPY.EXE file under C:\Install and will be referencing that for the remainer of this doc.
  5. Open PS as an administrator. (CODE IN BOLD)
    cd  C:\install
    .\azcopy.exe login
    this will give you a prompt for a website with a code. Copy those and login as a global admin. Once completed it will tell you to close the browser and go back to PS.
  6. Prepare your code and generate SAS's.
    here is the base code we will use. Copy this to a notepad and then we will go through what we need to insert.
    .\azcopy.exe copy "<URL TO SOURCE STORAGE CONTAINER AND FILE SHARE>?<SAS TOKEN FOR SOURCE>" "<URL TO DESTINATION STORAGE CONTAINER AND POSSIBLY FSLOGIXFOLDER>?<SAS TOKEN FOR DESTINATION>" --recursive --preserve-permissions=true --preserve-smb-info=true

    NOTE: There are Question marks that divide the source URL and the SAS Token. Make sure they are there in your final code.

    You now need to go to the Storage Account of the Source (follow the same instructions for the Destination)
    Under SECURITY + NETWORKING > SHARED ACCESS SIGNATURE (or SAS).

    From here you will need to generate a SAS Token. Under ALLOWED RESOURCES I did all of them just to be safe, but someone smarter than me can comment on exactly what you need.

    Create a date range appropriate for your needed time. I used 4 hours but you can do what is useful for you.
    MAKE SURE YOU COPY THE TOKEN TO A NOTEPAD, you will not be able to get it again after you explorer away from the page.

    We are copying the SAS TOKEN after we generate it.
    Do the same for the Destination.

    Add all of this code together and you should get something like this (this is a fake link and SAS). I am showing what copying a folder and NOT all of the profile folders. For all of them, just delete out the last part

    .\azcopy.exe copy "https://storageaccount.file.core.windows.net/userprofiles/TestUser_S-1-5-21-1234567890-1234567890-9876543-1234
    ?sv=fake_date_and_code%3D" "https://destination.file.core.windows.net/userprofiles/TestUser_S-1-5-21-1234567890-1234567890-9876543-1234?sv=fake_stuff_here" --recursive --preserve-permissions=true --preserve-smb-info=true

    The biggest thing we need to make sure of is the --preserve-permissions=true & --preserver-smb-info=true

    Remember, this is for a single folder. If you want to do all the folders, then just go one level up and it will copy everything.

When you execute and it works properly, it should look like this:

You should be able to log into that region with the same user, using the same FSLogix profile!

Final Thoughts: I do not intend this to be a "This person is wrong" or any other type of negative connotation. I simply want to share what worked for me on an issue I know we all struggle on.

0

Comments (1 comment)

Sort by
1
Avatar
Dave Stephenson

Thanks for sharing, Johnny Lambert!

That's the great thing about Azure. There are many different ways to do something, and as long as it works for the customer at the end of the day, there's not a "right" or "wrong" way to do it. 😎

Just to make it a bit simpler, you could always use Azure Storage Explorer to create the base azcopy command and then add that additional --preserve-permissions=true argument to the command before you run it.
That way, you don't need to manually create any SAS tokens or accidentally mix-up the formatting on the azcopy command (believe me, I've messed it up plenty over the years . . . 🤦‍♂️).


Please sign in to leave a comment.