Use Azure Files with Entra ID-joined method for AVD

Avatar
Nerdio Product Support

Use Azure Files with Entra ID-joined method for AVD

This is a workaround until Microsoft fully supports Entra ID with Kerberos. Instead of using Azure Blob Storage, Azure Files Premium offers faster performance and supports backups in Nerdio Manager.

For more details, see Store FSLogix profile containers on Azure Files using Microsoft Entra ID in a cloud only scenario.

Note: Microsoft released the public preview around November 2025 of supporting cloud-only authentication for Azure Files natively. See Store FSLogix profile containers on Azure Files using Microsoft Entra ID for details. Nerdio is working on implementing the new method natively in a future release.

Warning: For Azure Virtual Desktop, if your session hosts are running Windows 11 22H2 or later, Windows Defender Credential Guard automatically removes the StorageAccountKey from Windows Credential Manager each time a session host is stopped (deallocated). To prevent this, you need to disable Credential Guard. For more details, see Credential Guard overview - Windows Security.

For this method, complete the following steps:

Step 1: Create the required Azure resources

The first step is to create the required Azure resources. This includes a storage account and a file share in the storage account.

To create the required Azure resources:

  1. In Nerdio Manager, navigate to Storage > Azure Files.

  2. Select Add Azure Files.

  3. In the new dialog box, enter the following information:

    • Storage account: Enter the name for a new storage account, and then under the field, select Create [your account name] as new Storage account.

      Notes:

      • The storage account name must be globally unique to the Azure region.

      • It must contain no more than 24 characters, numbers and lowercase letters, with no special characters or spaces.

    • Storage account description: Enter the meaningful description for your storage account.

    • Resource group: From the drop-down list, select the resource group for the newly created storage account and file share.

    • Location: Select the Azure region where this storage account and file share should be created.

      Note: For AVD host pools, the region must be the same as for AVD session host VMs.

    • Performance: From the drop-down list, select the performance tier for the Azure Files share.

      Tip: It is recommended that you select Premium for the best user experience. Be aware that this setting can't be changed after the storage account is created.

    • Replication: From the drop-down list, select the type of storage replication. LRS is pre-defined.

      Note:

      • LRS (locally redundant storage): Copies your data synchronously three times within a single physical location in the primary region. LRS is the least expensive replication option, but it isn't recommended for environments requiring high availability or durability. It provides the lowest cost with basic protection against server rack and drive failures, and is recommended for non-critical scenarios.

      • ZRS (zone-redundant storage): Copies your data synchronously across three Azure availability zones in the primary region. It provides protection against datacenter-level failures, and is recommended for high availability scenarios.

    • File share name: Enter the name for the file share to be created on the storage account.

      Tip:

      • There can be multiple file shares in the same storage account.

      • File share names can contain only lowercase letters, numbers, and hyphens, and must begin and end with a letter or a number. The name cannot contain two consecutive hyphens.

    • File share description: Define the name for the file share.

    • Provisioned capacity (GiB): Enter the size of the provisioned capacity. It should exceed 100 GB.

      Note: Provisioned capacity defines the cost and performance of Azure Files Premium shares.

    • Storage account configuration:

      • Share-level permission: Select this option to set the default share-level permissions on storage account.

        • SMB Share Contributor: Select this option to allow all authenticated users read/write access to the share.

        • SMB Share Reader: Select this option to allow all authenticated users read-only access to the share (for example, App Attach).

      • Join AD or Entra ID: Clear this option to prevent the file share from joining the AD or Entra ID.

      • Enable SMB Multichannel: Select this option to improve the Azure Files Premium performance.

        • Note: Azure Files SMB Multichannel enables you to use multiple network connections that provide increased performance. Increased performance is achieved through bandwidth aggregation over multiple NICs and using Receive Side Scaling (RSS) support for NICs to distribute the IO load across multiple CPUs.

    • File share configuration:

      • Permissions (SMB Share Contributors): Specify users, groups, and/or security groups to have Storage File Data SMB Share Contributor role on the share.

        Notes:

        • This is required for read / write access to the share.

        • If you don't have the group provisioned yet, the field can remain undefined.

      • Add users / groups from host pools: From the drop-down list, select one or more host pools and users / groups currently assigned to these host pools to be assigned the Storage File Data SMB Share Contributor role on the share.

      • Assign NTFS file-level permissions: Select this option to assign NTFS file-level permissions to newly created file share.

        Note:

        • This option automatically creates a temporary VM to perform the permission assignment task.

        • You can change the configuration of a temporary VM in advanced settings.

        For details about default file permissions used on new Azure Files shares, see Configure directory and file-level permissions for Azure file shares.

        • App Attach: Select this option to grant authenticated users Read permission to subdirectories in the share. This is recommended for shares containing App Attach applications.

        • FSLogix: Select this option to grant authenticated users Modify permission to the root directory in the share, allowing for the creation of FSLogix profile folders. This is recommended for shares containing FSLogix profiles.

      • Show advanced settings: Expand this section to define the following temporary VM settings:

        • Name: Enter the name to be used for the temporary VM.

        • Network: From the drop-down list, select the network where the temporary VM should be created. This network and VM must have access to the storage location selected above.

        • Desktop image: From the drop-down list, select the image.

        • VM size: From the drop-down list, select the VM size.

          Tip: Select a larger VM for the task to complete faster.

        • OS disk: Select OS disk for the temporary VM.

          Tip: Select a Premium SSD disk for faster container creation process.

        • Resource group: From the drop-down list, select the resource group for the temporary VM.

      • Apply tags: Expand this section and specify the tags to be applied to the new storage account and share.

        • Tag groups: Optionally, assign tag groups if required.

  4. Select OK.

  5. Copy the storage account name (not the file share name) and paste it to Notepad. You will later add it to a secure variable in Nerdio Manager.

  6. Copy the UNC path of the Azure Files share, which you will need to provide in Step 4: Configure the FSLogix profile for a host pool profile:

    1. Next to the Azure Files share name, select the copy icon.

    2. Paste the copied UNC path to Notepad.

Step 2: Copy the storage account key

Once you have created a new storage account, and a new file share in that storage account, you can now copy the StorageAccountKey value that you need to include in the script.

To copy the storage account key:

  1. In the Azure portal, navigate to Storage accounts, and then select the name of the storage account you created.

  2. In the left blade, in the Security + networking section, select Access keys.

  3. Under the Key1 field, copy and then paste the key to Notepad.

Step 3: Create a scripted action with secure variables

The next step is to create a scripted action for Entra ID Join Windows Credential Manager and the required secure variables.

To create a scripted action:

  1. In Nerdio Manager, navigate to Scripted ActionsWindows Scripts.

  2. Select New scripted action.

  3. In the new dialog box, enter the following information:

    • Name: Enter EntraIDWindowsCredentialManager.

    • Description: Enter the script's description.

    • Tags: From the drop-down list, select optional tags for the script. These tags are used for searching and organization.

    • Script Execution Mode: From the drop-down list, select Individual with restart.

    • Script: Paste the following script into the field.

      #Variables

      $storageAccount=$SecureVars.FSlgxStorageAccount

      $user="localhost\$($storageAccount)"

      $fileserver="$storageAccount.file.core.windows.net"

      $secret=$SecureVars.FSLgxSecret

      #Create the local credentials for the storage account

      cmdkey.exe /add:$($fileServer) /user:$($user) /pass:$($secret)

      # Check if the key exists

      if (-not(Test-Path "HKLM:\Software\Policies\Microsoft\AzureADAccount")) {

      # Create the key if it doesn't exist

      New-Item -Path "HKLM:\Software\Policies\Microsoft\AzureADAccount" -Force

      }

      # Add or modify the property

      New-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\AzureADAccount" -Name "LoadCredKeyFromProfile" -Value 1 -Type DWord -Force

      #Disable Credential Guard

      New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name "LsaCfgFlags" -Value 0 -force

  4. Once you have entered all the desired information, select Save & close.

To add the required secure variables:

  1. Navigate to Settings > Environment.

  2. On the Nerdio tab, create the storage account variable:

    1. Expand the Secure variables section, and then select Add Secure Variable.

    2. In the new dialog box, enter the following information:

      • Name: Enter FSlgxStorageAccount.

      • Value: Paste the storage account name that you previously saved to Notepad.

      • Pass variable to specified scripted actions only: Select this option to pass this variable only to the specified scripted action.

      • Scripted actions: From the drop-down list, select the previously created EntraIDWindowsCredentialManager script.

    3. Select OK.

  3. On the Nerdio tab, create the FSLogix secret variable:

    1. In the Variables section, select Add Secure Variable.

    2. In the new dialog box, enter the following information:

      • Name: Enter FSLgxSecret.

      • Value: Paste the storage account key that you previously saved to Notepad.

      • Pass variable to specified scripted actions only: Select this option to pass this variable only to the specified scripted action.

        Scripted actions: From the drop-down list, select the previously created EntraIDWindowsCredentialManager script.

    3. Select OK.

Step 4: Configure the FSLogix profile for a host pool profile

The next step is to configure the FSLogix settings for a host pool profile.

To configure the FSLogix settings for a host pool profile:

  1. Navigate to SettingsProfiles Management.

  2. Next to the host pool profile you wish to work with, select the pencil icon.

  3. In the FSLogix Profiles Storage Configuration dialog box, enter the following information:

    • FSLogix Profiles path (VHDLocation): Enter the file share's UNC path \\[[STORAGEACCOUNTFQDN]\[FILESHARE] that you previously recorded.

      Note: For example, \\aadjfsl (\\aadjstorage01.file.core.windows.net\aadjfsl

    • FSLogix Registry Options:

      1. In the Search settings by name field, search for AccessNetworkAsComputerObject.

      2. On the Profile Settings tab, in the Configuration column, set the setting value to 1.

  4. Select Save.

Note: Make sure the host pool profile you've configured is assigned to relevant host pools. For details, see Manage host pool profiles.

Step 5: Configure scripted actions

After you've configured the FSLogix settings for a host pool profile, you need to configure scripted actions to run on individual host pools.

To configure scripted actions for a host pool:

  1. Locate the host pool you wish to work with.

  2. From the more options menu, select Settings.

  3. In the Desktop Settings dialog box, go to the Scripted Actions tab.

  4. Enter the following information:

    • Run Scripted actions when host VM is CREATED and Run Scripted actions when host VM is STARTED: Enable these options.

    • From the scripts drop-down lists, select EntraIDWindowsCredentialManager.

  5. Select Save or Save & close.

Step 6: Re-image the host pool

To apply the new settings across all session hosts, you need to re-image the host pool. Re-imaging ensures every VM is rebuilt with the updated configuration. For details, see Resize/re-image a host pool.

Was this article helpful?

0 out of 1 found this helpful
Have more questions? Submit a request

Related articles

Comments (1 comment)

Sort by
0
Avatar
Ryan Dorman

I strugged with this for a while.  I wanted to use secure variables to store the Storage Account name and the access key so I could generalize the script.  Was a bit of a challenges due to escaping characters and stringing everything together in a way PowerShell liked.  Here's what I came up with:

$arguments = '/add:'+$SecureVars.profileAccountName+'.file.core.windows.net'+' /user:localhost\'+$SecureVars.profileAccountName+' /pass:'+$Securevars.profileAccountSASkey
start-process cmdkey.exe -ArgumentList $arguments

Please sign in to leave a comment.