Let us learn how to create and configure Azure files to use Microsoft Entra Kerberos authentication.
This configuration allows you to store FSLogix profiles that can be accessed by hybrid user identities from Microsoft Entra joined or Microsoft Entra hybrid joined session hosts without requiring network line-of-sight to domain controllers. Microsoft Entra Kerberos enables Microsoft Entra ID to issue the necessary Kerberos tickets to access the file share with the industry-standard SMB protocol.
The below diagram gives a logical representation of the AVD infrastructure leveraging Entra ID.
Key Considerations
Make sure your user identities are hybrid identities and not cloud only accounts.
OS Should be Windows 10 Enterprise Single/Multi session 2004 or later.
Windows 11 Enterprise Single/Multi session
Windows Server 2022
Configure AAD join for Azure Files
The first step is to enable identity based access to your file share.
Create a standard or Premium azure files.
Navigate to the newly created storage account-->File share.
Click on Configure in the identity based access under file share settings.
In the Identity based access configuration window, click on setup under "Microsoft entra Kerberos".
Tick the box next to Microsoft Entra Kerberos to enable the entra based authentication.
Alternatively you can configure the on-premise domain name and GUID for configuring the directory and file level (NTFS) permissions.
Set Share level permissions
The next step is to configure share level permissions from the same file share settings windows. To Configure Storage File data SMB share reader permissions to specific users, an administrator need to leverage the azure RBAC roles.
To configure the read only access to all authenticated users, toggle to the "Storage File Data SMB Share Reader" option as shown in the below screenshot.
Configure NTFS Permissions
Inoder to configure NTFS Permissions, connect to the storage account from a domain joined machine using storage key.
Configure the security permissions as per the Microsoft recommendation for FSLogix file shares.
Configure Intune policies for Session Host
The next step is to configure the Intune policy to Allow retrieving the cloud kerberos ticket during the logon using OMA settings.
- Configure the below Intune Policy CSP and apply it to the session host: Kerberos/CloudKerberosTicketRetrievalEnabled. Navigate to Intune portal-->Devices-->configuration profiles. Click on New policy.
In the new policy settings screen, select the OS as windows 10 and above.Select the profile type as templates. Select custom from the drop down menu.
Provide a name for the policy and click next. Under the configuration settings, click on Add
The OMA URI can be find from the "Kerberos/CloudKerberosTicketRetrievalEnabled" policy settings URL given above.
Provide a name, OMA URI path,data type as Integer and value as 1.
Under the assignment tab, scope it to the AVD desktops.
Note:- This policy will not work for multi session desktops. Use Registry to configure this setting instead.
- The next settings is to configure the registry settings to enable credential keys. When you use Microsoft Entra ID with a roaming profile solution like FSLogix, the credential keys in Credential Manager must belong to the profile that's currently loading. This will let you load your profile on many different VMs instead of being limited to just one. To enable this setting, create a new registry value by running the following command:
reg add HKLM\Software\Policies\Microsoft\AzureADAccount /v LoadCredKeyFromProfile /t REG_DWORD /d 1
Configure the FSLogix Profile
The next step is to configure the FSLogix profile using Intune policy. I am not adding the steps here assuming that you already know how to configure the FSLogix settings using Intune.
Validate the settings
The final part is to validate your configuration by connecting to an AVD desktop. Ensure the profile is getting created in the Azure Files. If you are facing issues, please review the fslogix logs from the event viewer.
Top comments (0)