{"id":2794,"date":"2022-03-08T13:57:34","date_gmt":"2022-03-08T13:57:34","guid":{"rendered":"https:\/\/exceedthecloud.com\/?p=2794"},"modified":"2022-03-09T16:16:05","modified_gmt":"2022-03-09T16:16:05","slug":"implement-and-manage-storage-for-azure-virtual-desktop-ad-ds","status":"publish","type":"post","link":"https:\/\/exceedthecloud.com\/?p=2794","title":{"rendered":"Implement and manage storage for Azure Virtual Desktop (AD DS)"},"content":{"rendered":"\n<p><\/p>\n\n\n\n<p>You need to implement and manage storage for a Azure Virtual Desktop deployment in an Azure Active Directory Domain Services (Azure AD DS) environment.<\/p>\n\n\n\n<p><strong>Objectives<\/strong><\/p>\n\n\n\n<p>After completing this lab, you will be able to:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Configure Azure Files to store profile containers for Azure Virtual Desktop<\/li><\/ul>\n\n\n\n<p><strong>Prerequisites for this labs<\/strong> :&nbsp;<a href=\"https:\/\/azure.microsoft.com\/en-us\/free\/\" target=\"_blank\" rel=\"noreferrer noopener\">Azure Account<\/a>&nbsp;\/&nbsp;<a href=\"https:\/\/github.com\/marcelin-ndjila\/Practical-Labs-Series\/blob\/master\/Azurelabs11.zip\" target=\"_blank\" rel=\"noreferrer noopener\">Download Labs Files here<\/a><\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>An Azure subscription you will be using in this lab.<\/li><li>A Microsoft account or an Azure AD account with the Owner or Contributor role in the Azure subscription you will be using in this lab and with the Global Administrator role in the Azure AD tenant associated with that Azure subscription.<\/li><li>The completed lab <strong><a href=\"https:\/\/exceedthecloud.com\/?p=2660\" target=\"_blank\" rel=\"noreferrer noopener\" title=\"Prepare for deployment of Azure Virtual Desktop (AD DS)\">Prepare for deployment of Azure Virtual Desktop (AD DS)<\/a><\/strong><\/li><\/ul>\n\n\n\n<p><strong>Exercise 1: Configure Azure Files to store profile containers for Azure Virtual Desktop<\/strong><\/p>\n\n\n\n<p>The main tasks for this exercise are as follows:<\/p>\n\n\n\n<ul class=\"wp-block-list\" type=\"1\"><li>Create an Azure Storage account<\/li><li>Create an Azure Files share<\/li><li>Enable AD DS authentication for the Azure Storage account<\/li><li>Configure the Azure Files RBAC-based permissions<\/li><li>Configure the Azure Files file system permissions<\/li><\/ul>\n\n\n\n<p><strong>Task 1: Create an Azure Storage account<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\" type=\"1\"><li>From your lab computer, start a web browser, navigate to the <a href=\"https:\/\/portal.azure.com\">Azure portal<\/a>, and sign in by providing credentials of a user account with the Owner role in the subscription you will be using in this lab.<\/li><li>In the Azure portal, search for and select <strong>Virtual machines<\/strong> and, from the <strong>Virtual machines<\/strong> blade, select <strong>exceed-dc-vm11<\/strong>.<\/li><li>On the <strong>exceed-dc-vm11<\/strong> blade, select <strong>Connect<\/strong>, in the drop-down menu, select <strong>Bastion<\/strong>, on the <strong>Bastion<\/strong> tab of the <strong>exceed-dc-vm11 | Connect<\/strong> blade, select <strong>Use Bastion<\/strong>.<\/li><li>When prompted, provide the following credentials and select <strong>Connect<\/strong>:<\/li><\/ul>\n\n\n\n<figure class=\"wp-block-table\"><table><thead><tr><td><strong>Setting<\/strong><\/td><td><strong>Value<\/strong><\/td><\/tr><\/thead><tbody><tr><td>User Name<\/td><td><a href=\"mailto:Student@adatum.com\"><strong>Student@adatum.com<\/strong><\/a><\/td><\/tr><tr><td>Password<\/td><td><strong>Pa55w.rd1234<\/strong><\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"624\" height=\"287\" src=\"https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/03\/Picture149.png\" alt=\"\" class=\"wp-image-2795\" srcset=\"https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/03\/Picture149.png 624w, https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/03\/Picture149-300x138.png 300w\" sizes=\"auto, (max-width: 624px) 100vw, 624px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\" type=\"1\"><li>Within the Remote Desktop session to <strong>exceed-dc-vm11<\/strong>, start Microsoft Edge and navigate to the <a href=\"https:\/\/portal.azure.com\">Azure portal<\/a>. If prompted, sign in by using the Azure AD credentials of the user account with the Owner role in the subscription you are using in this lab.<\/li><li>Within the Remote Desktop session to <strong>exceed-dc-vm11<\/strong>, in the Microsoft Edge window displaying the Azure portal, search for and select <strong>Storage accounts<\/strong> and, on the <strong>Storage accounts<\/strong> blade, select <strong>+ Create<\/strong>.<\/li><\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"624\" height=\"196\" src=\"https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/03\/Picture150.png\" alt=\"\" class=\"wp-image-2796\" srcset=\"https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/03\/Picture150.png 624w, https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/03\/Picture150-300x94.png 300w\" sizes=\"auto, (max-width: 624px) 100vw, 624px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\" type=\"1\"><li>On the <strong>Basics<\/strong> tab of the <strong>Create storage account<\/strong> blade, specify the following settings (leave others with their default values):<\/li><\/ul>\n\n\n\n<figure class=\"wp-block-table\"><table><thead><tr><td><strong>Setting<\/strong><\/td><td><strong>Value<\/strong><\/td><\/tr><\/thead><tbody><tr><td>Subscription<\/td><td>the name of the Azure subscription you are using in this lab<\/td><\/tr><tr><td>Resource group<\/td><td>the name of a new resource group <strong>exeed140-22-RG<\/strong><\/td><\/tr><tr><td>Storage account name<\/td><td>any globally unique name between 3 and 15 in length consisting of lower case letters and digits, starting with a letter<\/td><\/tr><tr><td>Region<\/td><td>the name of an Azure region hosting the Azure Virtual Desktop lab environment<\/td><\/tr><tr><td>Performance<\/td><td><strong>Standard<\/strong><\/td><\/tr><tr><td>Redundancy<\/td><td><strong>Geo-redundant storage (GRS)<\/strong><\/td><\/tr><tr><td>Make read access to data available in the event of regional unavailability<\/td><td>enabled<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"624\" height=\"529\" src=\"https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/03\/Picture151.png\" alt=\"\" class=\"wp-image-2797\" srcset=\"https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/03\/Picture151.png 624w, https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/03\/Picture151-300x254.png 300w\" sizes=\"auto, (max-width: 624px) 100vw, 624px\" \/><\/figure>\n\n\n\n<p><strong>Note<\/strong>: Make sure that the length of the storage account name does not exceed 15 characters. The name will be used to create a computer account in the Active Directory Domain Services (AD DS) domain that is integrated with the Azure AD tenant associated with the Azure subscription containing the storage account. This will allow for AD DS-based authentication when accessing file shares hosted in this storage account.<\/p>\n\n\n\n<ul class=\"wp-block-list\" type=\"1\"><li>On the <strong>Basics<\/strong> tab of the <strong>Create storage account<\/strong> blade, select <strong>Review + Create<\/strong>, wait for the validation process to complete, and then select <strong>Create<\/strong>.<\/li><\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"624\" height=\"589\" src=\"https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/03\/Picture152.png\" alt=\"\" class=\"wp-image-2798\" srcset=\"https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/03\/Picture152.png 624w, https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/03\/Picture152-300x283.png 300w\" sizes=\"auto, (max-width: 624px) 100vw, 624px\" \/><\/figure>\n\n\n\n<p><strong>Note<\/strong>: Wait for the Storage account to be created. This should take about 2 minutes.<\/p>\n\n\n\n<p><strong>Task 2: Create an Azure Files share<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\" type=\"1\"><li>Within the Remote Desktop session to <strong>exceed-dc-vm11<\/strong>, in the Microsoft Edge window displaying the Azure portal, navigate back to the <strong>Storage accounts<\/strong> blade and select the entry representing the newly created storage account.<\/li><li>On the storage account blade, in the <strong>Data storage<\/strong> section, select <strong>File shares<\/strong> and then select <strong>+ File share<\/strong>.<\/li><\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"624\" height=\"293\" src=\"https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/03\/Picture153.png\" alt=\"\" class=\"wp-image-2799\" srcset=\"https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/03\/Picture153.png 624w, https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/03\/Picture153-300x141.png 300w\" sizes=\"auto, (max-width: 624px) 100vw, 624px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\" type=\"1\"><li>On the <strong>New file share<\/strong> blade, specify the following settings and select <strong>Create<\/strong> (leave other settings with their default values):<\/li><\/ul>\n\n\n\n<figure class=\"wp-block-table\"><table><thead><tr><td><strong>Setting<\/strong><\/td><td><strong>Value<\/strong><\/td><\/tr><\/thead><tbody><tr><td>Name<\/td><td><strong>exceedlab-22-profiles<\/strong><\/td><\/tr><tr><td>Tiers<\/td><td><strong>Transaction optimized<\/strong><\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"564\" height=\"714\" src=\"https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/03\/Picture154.png\" alt=\"\" class=\"wp-image-2800\" srcset=\"https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/03\/Picture154.png 564w, https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/03\/Picture154-237x300.png 237w\" sizes=\"auto, (max-width: 564px) 100vw, 564px\" \/><\/figure>\n\n\n\n<p><strong>Task 3: Enable AD DS authentication for the Azure Storage account<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\" type=\"1\"><li>Within the Remote Desktop session to <strong>exceed-dc-vm11<\/strong>, open another tab in the Microsoft Edge window, navigate to the <a href=\"https:\/\/github.com\/Azure-Samples\/azure-files-samples\/releases\" target=\"_blank\" rel=\"noreferrer noopener\">Azure Files samples GitHub repository<\/a>, download [the most recent version of the compressed <strong>AzFilesHybrid.zip<\/strong> PowerShell module, and extract its content into <strong>C:\\Allfiles\\Labs\\02<\/strong> folder (create the folder if needed).<\/li><\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"624\" height=\"380\" src=\"https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/03\/Picture155.png\" alt=\"\" class=\"wp-image-2801\" srcset=\"https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/03\/Picture155.png 624w, https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/03\/Picture155-300x183.png 300w, https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/03\/Picture155-80x50.png 80w\" sizes=\"auto, (max-width: 624px) 100vw, 624px\" \/><\/figure>\n\n\n\n<p>Within the Remote Desktop session to <strong>exceed-dc-vm11<\/strong>, start <strong>Windows PowerShell ISE<\/strong> as administrator and, from the <strong>Administrator: Windows PowerShell ISE<\/strong> script pane, run the following to remove the <strong>Zone.Identifier<\/strong> alternate data stream, which has a value of <strong>3<\/strong>, indicating that it was downloaded from the Internet:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>Get-ChildItem -Path C:\\Allfiles\\Labs\\02 -File -Recurse | Unblock-File<\/code><\/pre>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"624\" height=\"188\" src=\"https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/03\/Picture156.png\" alt=\"\" class=\"wp-image-2802\" srcset=\"https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/03\/Picture156.png 624w, https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/03\/Picture156-300x90.png 300w\" sizes=\"auto, (max-width: 624px) 100vw, 624px\" \/><\/figure>\n\n\n\n<p>From the <strong>Administrator: Windows PowerShell ISE<\/strong> console, run the following to sign in to your Azure subscription:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>Connect-AzAccount<\/code><\/pre>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"624\" height=\"216\" src=\"https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/03\/Picture157.png\" alt=\"\" class=\"wp-image-2803\" srcset=\"https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/03\/Picture157.png 624w, https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/03\/Picture157-300x104.png 300w\" sizes=\"auto, (max-width: 624px) 100vw, 624px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\" type=\"1\"><li>When prompted, sign in with the Azure AD credentials of the user account with the Owner role in the subscription you are using in this lab.<\/li><li>Within the Remote Desktop session to <strong>exceed-dc-vm11<\/strong>, from the <strong>Administrator: Windows PowerShell ISE<\/strong> script pane, run the following to set the variables necessary to run the subsequent script:<\/li><\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>$subscriptionId = (Get-AzContext).Subscription.Id\n$resourceGroupName = 'exeed140-22-RG'\n$storageAccountName = (Get-AzStorageAccount -ResourceGroupName $resourceGroupName)&#91;0].StorageAccountName\n<\/code><\/pre>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"624\" height=\"352\" src=\"https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/03\/Picture158.png\" alt=\"\" class=\"wp-image-2804\" srcset=\"https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/03\/Picture158.png 624w, https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/03\/Picture158-300x169.png 300w\" sizes=\"auto, (max-width: 624px) 100vw, 624px\" \/><\/figure>\n\n\n\n<p>Within the Remote Desktop session to <strong>exceed-dc-vm11<\/strong>, from the <strong>Administrator: Windows PowerShell ISE<\/strong> script pane, run the following to create an AD DS computer object that represents the Azure Storage account you created earlier in this task and is used to implement its AD DS authentication:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>Set-Location -Path 'C:\\Allfiles\\Labs\\02'\n.\\CopyToPSPath.ps1 \nImport-Module -Name AzFilesHybrid\nJoin-AzStorageAccountForAuth `\n   -ResourceGroupName $ResourceGroupName `\n   -StorageAccountName $StorageAccountName `\n   -DomainAccountType 'ComputerAccount' `\n-OrganizationalUnitDistinguishedName 'OU=WVDInfra,DC=adatum,DC=com'\n<\/code><\/pre>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"624\" height=\"352\" src=\"https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/03\/Picture159.png\" alt=\"\" class=\"wp-image-2805\" srcset=\"https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/03\/Picture159.png 624w, https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/03\/Picture159-300x169.png 300w\" sizes=\"auto, (max-width: 624px) 100vw, 624px\" \/><\/figure>\n\n\n\n<p>Within the Remote Desktop session to <strong>exceed-dc-vm11<\/strong>, from the <strong>Administrator: Windows PowerShell ISE<\/strong> script pane, run the following to verify that the AD DS authentication is enabled on the Azure Storage account:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>$storageaccount = Get-AzStorageAccount -ResourceGroupName $resourceGroupName -Name $storageAccountName\n$storageAccount.AzureFilesIdentityBasedAuth.ActiveDirectoryProperties\n$storageAccount.AzureFilesIdentityBasedAuth.DirectoryServiceOptions\n<\/code><\/pre>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"624\" height=\"353\" src=\"https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/03\/Picture160.png\" alt=\"\" class=\"wp-image-2806\" srcset=\"https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/03\/Picture160.png 624w, https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/03\/Picture160-300x170.png 300w\" sizes=\"auto, (max-width: 624px) 100vw, 624px\" \/><\/figure>\n\n\n\n<p>Verify that that the output of the command $storageAccount.AzureFilesIdentityBasedAuth.ActiveDirectoryProperties returns AD, representing the directory service of the storage account, and that the output of the $storageAccount.AzureFilesIdentityBasedAuth.DirectoryServiceOptions command, representing the directory domain information, resembles the following format (the values of DomainGuid, DomainSid, and AzureStorageSid will differ):<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>DomainName        : adatum.com\nNetBiosDomainName : adatum.com\nForestName        : adatum.com\nDomainGuid        : 47c93969-9b12-4e01-ab81-1508cae3ddc8\nDomainSid         : S-1-5-21-1102940778-2483248400-1820931179\nAzureStorageSid   : S-1-5-21-1102940778-2483248400-1820931179-2109\n<\/code><\/pre>\n\n\n\n<p>Within the Remote Desktop session to <strong>exceed-dc-vm11<\/strong>, switch to the Microsoft Edge window displaying the Azure portal, on the blade displaying the storage account, select <strong>File shares<\/strong> and verify that the <strong>Active Directory<\/strong> setting is <strong>Configured<\/strong>.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"624\" height=\"282\" src=\"https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/03\/Picture161.png\" alt=\"\" class=\"wp-image-2807\" srcset=\"https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/03\/Picture161.png 624w, https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/03\/Picture161-300x136.png 300w\" sizes=\"auto, (max-width: 624px) 100vw, 624px\" \/><\/figure>\n\n\n\n<p><strong>Note<\/strong>: You might have to refresh the browser page for the change to be reflected within the Azure portal.<\/p>\n\n\n\n<p><strong>Task 4: Configure the Azure Files RBAC-based permissions<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\" type=\"1\"><li>Within the Remote Desktop session to <strong>exceed-dc-vm11<\/strong>, in the Microsoft Edge window displaying the Azure portal, on the blade displaying properties of the storage account you created earlier in this exercise, in the vertical menu on the left side, in the <strong>Data storage<\/strong> section, select <strong>File shares<\/strong>.<\/li><li>On the <strong>File shares<\/strong> blade, in the list of shares, select the <strong>exceedlab-22-profiles<\/strong> entry.<\/li><li>On the <strong>exceedlab-22-profiles<\/strong> blade, in the vertical menu on the left side, select <strong>Access Control (IAM)<\/strong>.<\/li><\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"624\" height=\"211\" src=\"https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/03\/Picture162.png\" alt=\"\" class=\"wp-image-2808\" srcset=\"https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/03\/Picture162.png 624w, https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/03\/Picture162-300x101.png 300w\" sizes=\"auto, (max-width: 624px) 100vw, 624px\" \/><\/figure>\n\n\n\n<p>On the <strong>Access Control (IAM)<\/strong> blade of the storage account, select <strong>+ Add<\/strong> and, in the drop-down menu, select <strong>Add role assignment<\/strong>,<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"624\" height=\"354\" src=\"https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/03\/Picture163.png\" alt=\"\" class=\"wp-image-2809\" srcset=\"https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/03\/Picture163.png 624w, https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/03\/Picture163-300x170.png 300w\" sizes=\"auto, (max-width: 624px) 100vw, 624px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\" type=\"1\"><li>On the <strong>Add role assignment<\/strong> blade, specify the following settings and select <strong>Review + assign<\/strong>:<\/li><\/ul>\n\n\n\n<figure class=\"wp-block-table\"><table><thead><tr><td><strong>Setting<\/strong><\/td><td><strong>Value<\/strong><\/td><\/tr><\/thead><tbody><tr><td>Role<\/td><td><strong>Storage File Data SMB Share Contributor<\/strong><\/td><\/tr><tr><td>Assign access to<\/td><td><strong>User, group, or service principal<\/strong><\/td><\/tr><tr><td>Select<\/td><td><strong>exceed140-wvd-users<\/strong><\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"624\" height=\"291\" src=\"https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/03\/Picture164.png\" alt=\"\" class=\"wp-image-2810\" srcset=\"https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/03\/Picture164.png 624w, https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/03\/Picture164-300x140.png 300w\" sizes=\"auto, (max-width: 624px) 100vw, 624px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"624\" height=\"371\" src=\"https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/03\/Picture165.png\" alt=\"\" class=\"wp-image-2811\" srcset=\"https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/03\/Picture165.png 624w, https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/03\/Picture165-300x178.png 300w\" sizes=\"auto, (max-width: 624px) 100vw, 624px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\" type=\"1\"><li>On the <strong>Access Control (IAM)<\/strong> blade of the storage account, select <strong>+ Add<\/strong> and, in the drop-down menu, select <strong>Add role assignment<\/strong>,<\/li><li>On the <strong>Add role assignment<\/strong> blade, specify the following settings and select <strong>Review + assign<\/strong>:<\/li><\/ul>\n\n\n\n<figure class=\"wp-block-table\"><table><thead><tr><td><strong>Setting<\/strong><\/td><td><strong>Value<\/strong><\/td><\/tr><\/thead><tbody><tr><td>Role<\/td><td><strong>Storage File Data SMB Share Elevated Contributor<\/strong><\/td><\/tr><tr><td>Assign access to<\/td><td><strong>User, group, or service principal<\/strong><\/td><\/tr><tr><td>Select<\/td><td><strong>exceed140-wvd-admins<\/strong><\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"624\" height=\"370\" src=\"https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/03\/Picture166.png\" alt=\"\" class=\"wp-image-2812\" srcset=\"https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/03\/Picture166.png 624w, https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/03\/Picture166-300x178.png 300w\" sizes=\"auto, (max-width: 624px) 100vw, 624px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"624\" height=\"440\" src=\"https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/03\/Picture167.png\" alt=\"\" class=\"wp-image-2813\" srcset=\"https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/03\/Picture167.png 624w, https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/03\/Picture167-300x212.png 300w\" sizes=\"auto, (max-width: 624px) 100vw, 624px\" \/><\/figure>\n\n\n\n<p><strong>Task 5: Configure the Azure Files file system permissions<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\" type=\"1\"><li>Within the Remote Desktop session to <strong>exceed-dc-vm11<\/strong>, switch to the <strong>Administrator: Windows PowerShell ISE<\/strong> window and, from the <strong>Administrator: Windows PowerShell ISE<\/strong> script pane, run the following to create a variable referencing the name and key of the storage account you created earlier in this exercise:<\/li><\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>$resourceGroupName = 'exeed140-22-RG'\n$storageAccount = (Get-AzStorageAccount -ResourceGroupName $resourceGroupName)&#91;0]\n$storageAccountName = $storageAccount.StorageAccountName\n$storageAccountKey = (Get-AzStorageAccountKey -ResourceGroupName $resourceGroupName -Name $storageAccountName).Value&#91;0]\n<\/code><\/pre>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"624\" height=\"352\" src=\"https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/03\/Picture168.png\" alt=\"\" class=\"wp-image-2814\" srcset=\"https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/03\/Picture168.png 624w, https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/03\/Picture168-300x169.png 300w\" sizes=\"auto, (max-width: 624px) 100vw, 624px\" \/><\/figure>\n\n\n\n<p>From the <strong>Administrator: Windows PowerShell ISE<\/strong> script pane, run the following to create a drive mapping to the file share you created earlier in this exercise:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>$fileShareName = 'exceedlab-22-profiles'\nnet use Z: \"\\\\$storageAccountName.file.core.windows.net\\$fileShareName\" \/u:AZURE\\$storageAccountName $storageAccountKey\n<\/code><\/pre>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"624\" height=\"349\" src=\"https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/03\/Picture169.png\" alt=\"\" class=\"wp-image-2815\" srcset=\"https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/03\/Picture169.png 624w, https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/03\/Picture169-300x168.png 300w\" sizes=\"auto, (max-width: 624px) 100vw, 624px\" \/><\/figure>\n\n\n\n<p>From the <strong>Administrator: Windows PowerShell ISE<\/strong> console, run the following to view the current file system permissions:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>icacls Z:<\/code><\/pre>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"624\" height=\"353\" src=\"https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/03\/Picture170.png\" alt=\"\" class=\"wp-image-2816\" srcset=\"https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/03\/Picture170.png 624w, https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/03\/Picture170-300x170.png 300w\" sizes=\"auto, (max-width: 624px) 100vw, 624px\" \/><\/figure>\n\n\n\n<p><strong>Note<\/strong>: By default, both <strong>NT Authority\\Authenticated Users<\/strong> and <strong>BUILTIN\\Users<\/strong> have permissions that would allow users read other users&#8217; profile containers. You will remove them and add minimum required permissions instead.<\/p>\n\n\n\n<ul class=\"wp-block-list\" type=\"1\"><li>From the <strong>Administrator: Windows PowerShell ISE<\/strong> script pane, run the following to adjust the file system permissions to comply with the principle of least privilege:<\/li><\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>$permissions = 'ADATUM\\exceed140-wvd-admins'+':(F)'\ncmd \/c icacls Z: \/grant $permissions\n$permissions = 'ADATUM\\exceed140-wvd-users'+':(M)'\ncmd \/c icacls Z: \/grant $permissions\n$permissions = 'Creator Owner'+':(OI)(CI)(IO)(M)'\ncmd \/c icacls Z: \/grant $permissions\nicacls Z: \/remove 'Authenticated Users'\nicacls Z: \/remove 'Builtin\\Users'\n\n<\/code><\/pre>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"624\" height=\"352\" src=\"https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/03\/Picture171.png\" alt=\"\" class=\"wp-image-2817\" srcset=\"https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/03\/Picture171.png 624w, https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/03\/Picture171-300x169.png 300w\" sizes=\"auto, (max-width: 624px) 100vw, 624px\" \/><\/figure>\n\n\n\n<pre class=\"wp-block-code\"><code>icacls Z:<\/code><\/pre>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"624\" height=\"351\" src=\"https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/03\/Picture172.png\" alt=\"\" class=\"wp-image-2818\" srcset=\"https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/03\/Picture172.png 624w, https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/03\/Picture172-300x169.png 300w\" sizes=\"auto, (max-width: 624px) 100vw, 624px\" \/><\/figure>\n\n\n\n<p><strong>Note<\/strong>: Alternatively, you could set permissions by using File Explorer.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"624\" height=\"430\" src=\"https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/03\/Picture173.png\" alt=\"\" class=\"wp-image-2819\" srcset=\"https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/03\/Picture173.png 624w, https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/03\/Picture173-300x207.png 300w\" sizes=\"auto, (max-width: 624px) 100vw, 624px\" \/><\/figure>\n\n\n\n<p>Congratulations, you are now able to configure Azure Files to store profile containers for Azure Virtual Desktop !<\/p>\n\n\n\n<p><mark class=\"kt-highlight\"><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-virtue-primary-color\">Reminder: Don&#8217;t forget to delete or shutdown all unused Azure resources after your labs for cost saving<\/mark><\/mark><\/p>\n","protected":false},"excerpt":{"rendered":"<p>You need to implement and manage storage for a Azure Virtual Desktop deployment in an Azure Active Directory Domain Services (Azure AD DS) environment. Objectives After completing this lab, you will be able to: Configure Azure Files to store profile &hellip; <a href=\"https:\/\/exceedthecloud.com\/?p=2794\">Continued<\/a><\/p>\n","protected":false},"author":1,"featured_media":2821,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"om_disable_all_campaigns":false,"kt_blocks_editor_width":"","_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[102,98,4,104],"tags":[72,103,78,35],"class_list":["post-2794","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-azure-virtual-desktop","category-powershell","category-practical-labs-series","category-storage","tag-azure-active-directory","tag-azure-virtual-desktop","tag-storage","tag-virtual-machines"],"aioseo_notices":[],"jetpack_featured_media_url":"https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/03\/istockphoto-1291478674-612x612-1.jpg","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/exceedthecloud.com\/index.php?rest_route=\/wp\/v2\/posts\/2794","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/exceedthecloud.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/exceedthecloud.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/exceedthecloud.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/exceedthecloud.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2794"}],"version-history":[{"count":4,"href":"https:\/\/exceedthecloud.com\/index.php?rest_route=\/wp\/v2\/posts\/2794\/revisions"}],"predecessor-version":[{"id":2875,"href":"https:\/\/exceedthecloud.com\/index.php?rest_route=\/wp\/v2\/posts\/2794\/revisions\/2875"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/exceedthecloud.com\/index.php?rest_route=\/wp\/v2\/media\/2821"}],"wp:attachment":[{"href":"https:\/\/exceedthecloud.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2794"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/exceedthecloud.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2794"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/exceedthecloud.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2794"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}