AZ-140 Configuring and Operating Windows Virtual Desktop on Microsoft Azure Topic: Implement & Manage Storage for Azure Virtual Desktop
December 16, 2022

1. Create Storage Account

Let’s create the storage account so we can then create the file share to be used with the FSLogix technology for the user profile container. I will go to create a resource-looking storage account and click on Create. I will select a resource group. I have one Profiles resource group, which I have already created, and the storage account name. I need to give it a name, and the name needs to be unique name. So I have this name, which I hope is available. Okay, so WVD Storage and the number to make sure it is a unique one, the region or location you select, and where it is located, must actually be aligned with the domain controller you have and where you want to deploy the WVD resources. So to get the best performance and the best results, So it’s going to be the East US, which is the one I’m using. You can select between Starter and Premium, but be careful if you go with Premium at the time of this lecture because it only supports the page blocks, not the file shares.

So let’s stick with the standard. I will keep it general purpose, and I will go with locally redundant storage because it is the cheapest, and since this is the demonstration, I will go with it. You can then go to the networking, the data protection, and the advance. You have different options if we’re going to take a look, if you want to have it publicly accessible, what kind of encryption you’d like to have in advance, and so on. In advance, you can actually have the secure transfer required and infrastructure encryption, and so on. I will keep everything on default, and I will click on Review and Create and wait for the validation to pass. The validation has passed, and I have this green highlight here telling me that everything is okay, and I click Create to create the storage account.

 Once the storage account is created, I will modify one of the properties, and then we can actually go to the Azure file share creation. I will also post the video here while we wait for the storage account to be created so we can continue. You can see that the deployments taking place at the moment. So the storage account has been created successfully. I can go to the resource for the storage account, and this is the storage account we have created, and I would like to go to configuration and just disable the secure transfer required for the sake of the demonstration, to make everything simpler for us, so it will not have any requirements at a later stage. So just for the demonstration, if you are following along with me, you can go and disable this one and click Save. Now we have the storage account ready, and we can move on to the next lecture to create the Azure file share.

2. Create Azure file share

Now let’s create the file share. I’ll go to my profiles resource group, where I have the storage account, and this is the storage account. And if you scroll down, you can see the file shares. I will click on “Add File Share.” You can notice something here. It says “Active Directory.” Not configured. Also, before I create the file share, I go back to the storage account, so this is the storage account, and we go to configuration. It shows here that the identity based access for file shares azure Active Directory Domain Services is not enabled. And also for this one.

So actually, the authentication with the domain controller is also not enabled. This is something to keep in mind because we will do that then and actually come back to verify. So, return to the file share creation file share and add a new file share. I will need to give you a name. So let’s call it the WVD file share and give it a number, and I will give it a quarter of 30 GB because it’s just for testing, not for production, and 30 GB is more than enough. I will keep it on transaction optimized and I will create. So by doing this, we are creating our file share to be used, and it has already been created. So this is the file share. So we already have the file share created. So right now we have the storage account and the file share created. And we can mount this file share by going to connect and copy-pasting the code. For now, I will keep it and move on to the next lecture.

3. Install the AzFilesHybrid Module

So now that we have the storage account and the Azure file share ready, we need to start and enable the active directory authentication for the storage account. And for that, we will need to do the process from a domain-joined machine, and we will do it using our domain controller. So let’s go to the domain controller. So this is the domain’s main controller machine. I will use PowerShell so I can main join the Azure storage account to this domain. I will run as an administrator, and for that, I will need to install this PowerShell module. So you click on this link. I will have it in the Resources section of this lecture. So you can also visit this website, which is called AZ Files Hybrid.

I will download this one, and I will go to the folder. So right now I have it in my downloads. Let me extract the files. So I will add it to this path here. And now we are good to go. So, I have the files I need to import this PowerShell model. And I will go to my PowerShell session so I can start the process. So first, I will need to configure the PowerShell execution policy. I will also make sure to include the commands I’m going to use for you, so you can use them if you want to do that yourself. So, no need to take note of everything. I’m actually typing here all of the commands. I will give you everything in the Resources section of this lecture. Just make sure to go to the Resources section and you can see the link and the commands for you there.

So I will go with the installation for now, and then I will move to the location. So I will use the CD command, and I will go to the place where I have installed and where I have downloaded the needed files to abort this PowerShell module. And before I continue, it is recommended that I make sure that I have the AZ PowerShell module, which is the one used by Azure and PowerShell. So I also have a script that I will include for you that will check if I have this installed or not. and if not, it’s going to install it for me.  So let’s run this command as well. This one may take some time because it’s going to check for you if it’s there or not, and if it’s not, it’s going to install it for you.

So I will pause the video and come back once it’s done. The process has been completed. It took about five minutes. And right now I’m going to run the script which I have in this folder, this one. So I will use this command, which will run the partial script. Okay, yes, I want to run it once, and the last step to do is to import the module. So if you are familiar with this command, import the module, and I specify the name, and yes, I want to run this. Okay. And it’s downloading the necessary files, and it’ll be finished soon. Completed soon. So it’s done. And now we are good to go. So, basically, in this lecture, we have installed the module required for us to use the command to enable the Active Directory authentication for our storage account in the later lectures.

4. Enable Active Directory Authentication for the Storage Account

In this lecture, we will use the PowerShell command to enable Active Directory authentication for our storage account. There are some requirements or prerequisites for this task. The first is to make sure we use a domain joint computer and that we are using the domain controller itself, as we did in the previous lecture. And the command that we will execute will require us to be logged in using a username. Now, this username has some requirements as well, and these are the account and username requirements. First, it needs to be synchronised with Azure AD. So the username must actually exist on the domain controller and have been synchronised with our Azure Active Directory. The username must have the permissions to create user or computer objects in the Active Directory. So it must be a domain administrator as well on the domain controller machine.

And it must have owner or contributor rights on the storage account and the resource group where the storage account exists. So this is the domain controller machine if I go to my machine and just go to my users. And if you remember from the previous lectures, we created this user, WVD admin, and gave him a specific kind of permission. So he is a domain admin already. So this actually fulfils one of the requirements. This user has also been synchronized with our Azure ID, as we have seen in the previous lectures. So now we just need to make sure that we have the owner or contributor role on our Azure subscription for this user. So this is the Profiles Resource Group where I have the storage account. And if I go once, I go to the resource group from the resource group list, I go to access control, and then I go to role assignments. And I can see that the Wading user is there with the owner rule. So we are okay; we have fulfilled the conditions or the requirements for the user account. Now we can go and start doing the process and using the commands. So let me minimize this.

 Let’s go back to our Azure partial session. You will need to use this command, “Connect AZ accounts,” so you can log in using the user that has fulfilled the requirements, which for me is the WVD admin. I’m already logged in as that user. I wanted to only show you the command “Connect” as the account. And now we will continue with our process. After you’ve logged in, you need to select the subscription—the target Azure subscription—you’re going to work with. So I already have the ID and the variable subscription ID saved. So I’m going to select my Azure subscription. It was selected for me. Then I will need to register the storage account with the Active Directory domain. And this is actually the command that we wanted to execute from the beginning. And this is why we have installed that module in our shell module. So if I go, this is the command. Join is the storage account, and you specify the resource group name, which I have also already saved in a variable. The resource group name I’m using is the profile resource group. Where is my Azure account? Storage is there. The storage account is there.

So I will execute it; I will run it, and it shall ask me for the storage account name. Let me paste it. This is the storage account we have created. If we go to our Azure Portal just to show you the name, So this is the name of the resource group. I have it saved in the variable. And if I go back for a minute, let me show you. So this is the resource group. And here we will find the storage account. So this is the storage account name: WVD storage. And this figure. So, returning to the previous screen, you will notice that I have specified the storage account name here and clicked Enter, and now it will go ahead and enable Active Directory authentication for that specific storage account. Let’s give it some time, and I will continue the video. Once it’s done, the process has been completed, and we can see that it gives us an indication here about the storage account. Now, to make sure that the process was done properly, you can go to your users and computers and then click on Domain Controllers. And this is it. This is the storage account name. So the process was completed correctly, and we have enabled Active Directory authentication for our storage account, and we are now ready to proceed to the next lectures. You.

5. Verify Azure Storage account Registration with Active Directory domain

There are different ways to verify that the connection and the active directory authentication of the storage account have been done successfully. One of them is to go to your users’ and computers’ computers and then go to the main controllers, and you shall see the storage account name there. comparisons for it, just as there were for the as it to the as s,,,, it This is the second way, which also uses PowerShell. You use three commands, so you basically have a variable and get the storage account information in that variable. So it is “Get storage account,” and you give it the resource group name and the storage account name, which I have in variables already. And then you use some options related to the object of the storage account.

I will not go into much detail about the commands themselves; I will provide them in the resources section of this lecture. However, once you click “Enter,” the domain controller properties of your storage account will be displayed. So as you can see, it says Cali clouds is local. So everything is great and working as we expect because in the properties here we say “directory service options” and we will then show the “active directory properties” for the storage account. So this is another method of verifying, which is also interesting if you go to the Azure Portal and select the storage account. So this is the profile resources group I have created for the storage account. This is our storage account. And if I go to configuration and scroll down, I can see that the Azure Active Directory domain service is now enabled, with Kellyclouds local as the joint domain. So this is also the third option for you to verify.

6. Azure built-in roles for File Share permissions

So we have created the storage account and the Azure file share. We have enabled active directory authentication for the storage account. Now it’s time to move on to the configuration of the file share permissions. If you notice the last three steps, each of them is related to the permissions. The first one is the file share permissions. So this is something that should be done through the Azure Portal using the built-in roles provided by Microsoft Azure. And the fourth and fifth, which are NTFS permissions, are to be done on our domain controller side, as I’m going to show you in the respective lectures. Now, before I go with 0-3 configuring the file share permissions, I need to explain to you the roles we have from Microsoft for the file share.

So, if you’re familiar with Microsoft’s role-based access controls, such as the owner, contributor, and soon, these are Microsoft-defined roles. defined by Microsoft. So you can use them to give access to users or groups based on what the role allows. So there are three Azure roles built-in for granting share-level permissions to users and groups, and these are the roles from Microsoft. The first one is the storage file data SMB share reader. So it allows read access to the Azure storage file share. So anybody who has been assigned this role, any user or group, will have read access to the Azure restoration file. Also, we have another storage file DFS share contributor that allows read, write, and delete access over the Azure storage file share. The last one is the elevated contributor to the storage file Data SMBShare. As the name implies, it allows read-write, delete, and modify NTFS permissions in the Azure storage file share.

So basically, we’re going to need the contributor and the elevated contributor. The contributor is going to be used for our WVD users, the end users of our company. In our example, the people who need to access their Windows 10 machines will need this contributor role so they can actually have their own user profiles saved to the file share that we have created. Because this is the whole purpose of this section, creating a file share to be used by FSLogix, which is a technology that will be creating discs for the user profiles of our users, As a result, we must grant them contributor access. The elevated contributor is going to be the domain administrator, the WV administrator, so we can set the NTFS permissions whenever needed. The reader role is not very much needed in this example of the project demonstration, but I just wanted to explain it in any way possible. So in the next lecture, we will be creating three groups in our domain controller machine, and then we can go to the Azure Portal and assign the proper roles we have built and those from Microsoft. So for the storage file there, SMB Share Reader, I will create a group called Profile Fsreader, the same for contributors, and the same for the elevated computer. So I’m going to go make profiles for the Spreader Group, the FS Contributor Group, and the Fs Elevated Contributor Group right now.

7. Configure File Share Permissions

Let’s go and configure the file share permissions. As explained in the previous lectures, I will create two groups right now. One of them is called Profile Contributor, so I can then assign it to the Azure role in the Azure Portal storage file SMB Share contributor, and the same for the elevated contributor. So I can assign it this built-in role. The first group, I will assign it to all of my WVD users. And for the second one, I will assign it only to the WV admin user. So first, let’s go to the domain controller and create the groups. So I’m going to get the tools for active directories, users, and computers from here. And I will create a new group for the name. Let’s just copy and paste it so we can stick to the plan. So this is the first one. This is the first group. It has been created.

And let’s now create the second group. This is the second group. I haven’t created one for the reader role because I will not use it, as I explained in this project. However, if you want to use a reader role, you can create a group here and then assign it to the reader role. For now, we have created the groups. Let’s assign them to users. So for this one, for the profile of the contributor, I will assign it to all the WVD users. So to do that, these are the users. I have already added them to a group called “WVD users.” So if I scroll down here, this is the group of WVD users, and I can add it to the group. I want to add them to the contributor group. Oh, it’s good. Okay. And now I will need to add my WV admin to the other group. So this is the one to add to a group. Let’s copy, paste, copy, and let’s go paste it here. Check the name. All good. So up to this point, what we have done is that we have created these two groups in our domain controller, and the groups have been assigned to the people I want them to. So this one has been assigned to all of the users so they can be contributors to the Azure file share. And this one has been assigned to the WVDadmin user so he can be an elevated contributor and he can control the NTFS permissions.

If he’s an elevated contributor, I will right now give it to the groups that I have created so they can be synchronised with the Azure Portal. Once they are synchronized, I will come back to this video, and then I will assign the Azure roles to the file share. So we will see how to actually assign the roles for these groups over the file share in the Azure Portal. I will post the video right now, and I will come back soon. The group should already be synchronised with the Azure Portal. So let’s continue our task and go to the Azure Portal right now. So let’s go to the resource groups. What I want to do right now is go to the file share I have created. So this is the storage account, and I will go to file shares. I will select the one I have created, and then from the access control I can add the role assignment. So you can click on “add role assignments.” Now, what is the role, and who will be chosen for it? If we go back to the Rtxt file that I have made as a reference for us, So for this group, I will need to assign this role. So let’s search for this role.

If I go back here and search for it, and this is it, let’s assign it to this group, which is actually assigned to all of the WVD users. So, for the time being, this group, which includes all of our WVD users, will have access to this file share and save. I will also do the same for the second group. So let’s grab back our file. Let me copy the rule, and let’s do another role assignment. And there you have it. As for the group name, here is the group name, and that should be it. So this is the group. We assigned it a role and saved it. And by doing this last tip, we have actually configured the file share permissions for our Azure file share.

8. Configure NTFS permissions for the file share

So right now we have reached step four in our project for the FSLogicContainer with the Azure file share setup. So what do we need to do at this moment to configure NTFS permissions for the file share? In the previous lectures, we configured the file share permissions over the Azure file share in the Azure Portal by using three different groups with three built-in enrols from Microsoft Azure. Now we need to configure NTFS for more granular security up to the file level. And for that, we will need first to mount the file share on our domain controller machine so we can control the NTFS permissions.

So let’s go back to our project. I will go to the DC demand controller machine, and I will use the command prompt. I will use this command net use Z, which is the letter I want to give to the value. And this is actually the name of the file share, and the user is also the storage account. So this is how it’s going to be. The storage account name, file core, Windows net and then slash the file share name, then user Azure, and then the storage account name. So you can see this is the storage account name here, and this is the storage account name here from where I got this structure to mount the file share. Actually, let me show you. You can just go to the Azure Portal. Let’s go to this resource group, where I have the storage account. And this is the storage account where I have the file share. And if I go to file shares and this is my file share, this is the one I want to mount on the domain controller. And if I go to Properties, you will actually see the link or the URL for it.

But this is not the one you can use to mount it. To do that, go back to Overview and click on Connect, and you can actually get different scripts to mount this file share. But this is where you get it. So you can see, this is the one I’m using. It has the storage account name, and then it has the file share name. You can just copy-paste it and go to the domain controller and use this command net use.And you give it a letter with this user, which is the storage account name, and click Enter. Now, it asked me for the password. So what’s going to be the password for the storage account? It is from the access key that I obtain the access key from the Azure Portal. So let’s go back to the Azure Portal. So we need the access key for the storage account. Now, this is the storage account, and this is the file shift. Let me go back once again.

So this is the storage account. Yes, as we can see, the storage account, and go to Settings to access keys. There are two keys: key one and key two. Key one is used by default, so let me just copy it. Then let’s go back and just paste it. The password will not appear in the command prompt after you paste it. So, now that I’ve pasted, I press Enter, and the command runs successfully. As you can see, the command was completed successfully. Now let’s go and add the groups. So this is it; let’s go to this PC, and this is the mounted file share. If I click here Properties Security, let’s goto Advanced and I will add the groupsI have created earlier let me add theother one the other group was Elevated Contributor.So that’s it, and okay, let me also add all of the WVD users, so if I go to WVD, I’d add this group with the same permissions, okay, and apply, and we’re done. So what we have done in this lecture is set the NTFS permissions on the file share. For that, we used our domain control. So right now we have the permissions set on the file share level in the Azure Portal using the built-in security rules of Azure, and now we have set the NTFS permissions on the container level. And in the next lecture, we will create the profiles folder that will be used by the FSLogix technology so the users can save their user profiles. So once we create the profiles folder inside this file share, we will also set up the NTFS permissions for that folder.

9. Create FSLogix Containers & Configure NTFS permissions

We have reached the final step in this section, which is creating the FSLogix containers and configuring the NTFS permissions. So what we’re going to do right now is go to the domain controller, and in the mountainfile share we have, we will create three folders. Now these folders are required for the FSLogix technology structure. So the three photos are: the first one is for the profiles. So we will call it “profiles.” The second one is for the Office applications, and it is called AUDC. And the third one is for MSI, which is a technology used for application masking. So let’s create the third folder. So these are the folders. This is the structure that we shall have it.

This is the one we will mainly focus on, which is going to be used for the users’ profiles. Now we need to set up the NDF’s permissions for each one of them. It’s pretty much the same for the security process. So let’s go ahead. We are just doing administration right now. Security administration. And I’ll disable inheritance and remove it entirely. And then I will add the elevated contributor to each one of these folders. Let’s give it some time. I will look for the “elevated contributor,” a group I have created before. Okay, I’ll give it full control over this one, and I’ll also add the creator owner. This is the creator’s ownership,  okay, and also with full control. And the last thing I’m going to do is add the WVD users. So I’ll go here again, WVD, and I will select the group. I will add this permission, apply, and we are done. Now we’re going to do the same for the other folder, security advanced; we’ll remove disabled inheritance and add security. Select a new principle, and I will repeat the same steps. Okay. Furthermore, the creator’s owner has fault control. Okay. and the WVD users. Okay. With this approval and permission Okay.

Then for the third folder, it’s just as I told you: administrative tasks, the same. I’m just showing you this so, in case you need it, you can try it yourself. But if you are interested more in the theory, then you can just take a look and go on to the other sections. So let’s disable that. So the elevation is okay; let’s give it full control. Okay. So the WVD and I are finished. So that’s it. We have set the device file permissions for each of the folders. These are the three folders required by the FSLogix technology to operate properly. And now that we have done this, we are ready to set up our custom images. The custom image that we will create Hey, you know what? You can use the FS technology because we have prepared everything for you. We have the containers and the file share from Azure. Everything is set and ready for you to use it. So just use FSLogix; this is something I will show you in the coming sections.

10. *NEW* – Migrate local profiles into Azure Storage

In the event that your company has some user profiles on premises, you would need to migrate those profiles to Azure to be able to use them. with the Azure virtual desktop. You can migrate files from local file shares into Azure Storage by using a service called Azure File Sync. Azure File Sync is used to centralise organizations’ file shares in Azure files. You can migrate and synchronise your userFS logix profiles virtual discs into Azure Storage for use with Azure Virtual Desktop using this service, AzureFile Sync. The process of migrating files from your on-premises system using Azure File Sync is as follows: first, evaluate your on-premises system. and Azure File Sync is compatible with Windows Server 2012 R2 or later. And then you will need to create the needed Azure resources.

So you will need a storage account to contain the file share, a Storage Sync service, and the Sync group. Once this is done, you will need to install the Azure File Sync agent. So you need to install the agent on each file server that is taking part in the replication to the Storage Sync service. This is to be installed on your premises service. After that, you will need to register the Windows Server computer with the Storage Sync service. As a result, after installing the Sync agent in the previous step, you are prompted to register the server with the Storage Sync service. The final step would be to create the server endpoint. So after the server is registered, you add it as an endpoint to the Sync group. ,,,, and more, and more, of a sy syce’s plan

Leave a Reply

How It Works

Step 1. Choose Exam
on ExamLabs
Download IT Exams Questions & Answers
Step 2. Open Exam with
Avanset Exam Simulator
Press here to download VCE Exam Simulator that simulates real exam environment
Step 3. Study
& Pass
IT Exams Anywhere, Anytime!