Hi Guys! I was playing in my demo environment and finally successfully implemented Azure Files with Microsoft Entra Kerberos authentication for FSLogix profiles in an Entra ID-joined AVD environment managed through Nerdio.
A few notes that may help others going through the same process:
1. Create and configure the Azure Files storage account from Nerdio
I created the Storage Account directly from the Nerdio wizard and selected the Microsoft Entra ID authentication option during deployment.
2. Configure the App Registration
After the storage account was created, I had to:
- Grant Admin Consent for the API permissions associated with the Storage Account App Registration.
- Modify the application manifest and add "kdc_enable_cloud_group_sids" to the "tags" (around line 28)
Without this tag, Entra Kerberos authentication did not function correctly in my environment.
3. Assign the required permissions
Make sure users or groups have the appropriate Azure Files SMB permissions (Storage File Data SMB Share Contributor / Elevated Contributor as required) and that your NTFS permissions are configured correctly. For the NTFS permission need to use the Manage Access in Azure Portal inside SMB Classic file Share Browse window.
4. Configure the AVD session hosts
I created a Nerdio Scripted Action that runs only after the VM has successfully joined the AVD host pool by selecting:
"These scripted actions will run after VM is joined to AVD host pool"
The Scripted Action applies the required registry settings for Entra Kerberos and credential key loading:
$ErrorActionPreference = 'SilentlyContinue'
New-Item -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters" -Force | Out-Null
New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters" -Name "CloudKerberosTicketRetrievalEnabled" -PropertyType DWord -Value 1 -Force | Out-Null
New-Item -Path "HKLM:\Software\Policies\Microsoft\AzureADAccount" -Force | Out-Null
New-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\AzureADAccount" -Name "LoadCredKeyFromProfile" -PropertyType DWord -Value 1 -Force | Out-Null
exit 05. Conditional Access consideration
If you're enforcing MFA through Conditional Access, don't forget to exclude the Enterprise Application created for the Storage Account from policies that require MFA. Otherwise SMB authentication to Azure Files may fail. In my case this was not necessary.
After completing the above steps and rebooting the session hosts, FSLogix profile containers mounted successfully using Microsoft Entra Kerberos authentication without requiring hybrid join or traditional AD DS integration.
Hopefully this helps someone else avoid a few hours of troubleshooting.
Final thougs: Remember to use an according fslogix profile in Nerdio without configuring the option to use AccessNetworkAsComputerObject.
Has anyone implemented this at scale with Cloud Kerberos Trust and Entra-only AVD?
Comments (0 comments)