AVD + FSLogix Without Domain Controllers: A Complete Cloud-Native Setup

Great news! You can now deploy Azure Virtual Desktop (AVD) with FSLogix using Entra-only identities and Azure Files—no domain controllers required. This is a game-changer for organizations moving toward a fully cloud-native architecture.

Why This Matters

Traditionally, using FSLogix with AVD meant relying on Active Directory or Entra Domain Services. That added complexity and infrastructure costs. With this new preview feature, you can manage everything in Microsoft Entra ID, configure Azure Files for profile containers, and eliminate on-prem dependencies.

What You’ll Learn

In this video and guide, you’ll learn the essential steps for setting FSLogix using Entra-only identities and Azure Files. We’ll walk you through enabling Entra Kerberos Authentication on Azure Files, assigning share-level permissions for cloud-only identities, and configuring FSLogix profiles specifically for AVD. In addition, the guide will explain how to set file and folder-level permissions within Azure, and provide instructions for testing the setup using Windows 11 session hosts.

Video Walkthrough

The steps outlined below were employed in the accompanying video to illustrate the process of developing a functional example.

Prerequisites

Before you begin, keep these key requirements in mind:

  • Windows 11 Enterprise or Pro (single or multi-session) or Windows Server 2025 with latest updates.
  • Azure Files storage account, Premium Provisioned V2 or v2 recommended.
  • AVD host pool with Entra ID joined session hosts.
  • This preview feature is only available in the Azure public cloud.

Step 1: Enable Microsoft Entra Kerberos Authentication

This step connects your Azure Files storage account to Entra ID for Kerberos-based authentication.

  1. In the Azure portal, open the storage account.
  2. Navigate to File Shares > Identity-based access.
  3. Select Set up under Microsoft Entra Kerberos and check the box.
  4. Leave domain services options blank (cloud-native only).
  5. Click Save and Close.
Enable Microsoft Entra Kerberos

Step 2: Assign Default Share-Level Permissions

The following steps configures the default share-level permissions for your storage account. As of the time this video and blog were published, only cloud-based identities support these default share-level permissions. Share-level permissions are set for every share and all authenticated users on the storage account.

  1. Go to Default share-level permissions from the Identity-based access window.
  2. Enable it and select Storage File Data SMB Share Contributor.
  3. Click Save.
Default Share-level Permissions

Step 3: Create the File Share and Profile Directory

FSLogix needs a dedicated location for profile containers. Organizing profiles in a separate folder inside the share improves manageability.

  • Create a new file share and give it a name.
  • Set capacity (e.g., minimum size for testing).
  • Disable backups for this demo (recommend enabling for the production).
  • Create a folder inside the share for the profiles.
Azure Files Share and Directory

Step 4: Grant Admin Consent to the Service Principal

The next step is to grand admin consent to the service principal. This step authorizes the storage account to use Entra Kerberos for authentication. Without this, Kerberos tickets can’t be issued.

  1. Go to Entra ID > App Registrations > All Applications.
  2. Locate the storage account app (the name starts with: [Storage Account].
  3. Under API Permissions, click Grant admin consent.
Grant Admin Consent

Step 5: Enable Cloud-Only Group Support

The next step is to update the Tags attribute in the application manifest file. This allows permissions to be assigned to Entra groups instead of individual users. This step is required or authentication will fail.

  1. Locate the Tags attribute in the application manifest file.
  2. Add the required JSON line (“kdc_enable_cloud_group_sids”) as per Microsoft documentation (link below).
  3. Save changes.
Update Tags Attribute in the Application Manifest

Step 6: Disable MFA for Storage Account Access

Entra Kerberos doesn’t support MFA for file share access. If MFA is enforced when accessing the storage account, users will be blocked.

  1. Review Conditional Access policies.
  2. Locate any policies that apply to the FSLogix users and targets all applications.
  3. Exclude the storage account from MFA enforcement.
Disable MFA for Storage Account Access

Step 7: Configure Clients to Retrieve Kerberos Tickets

AVD session hosts require Kerberos tickets to authenticate to Azure Files without user prompts. Add the registry key below on each AVD client to enable ticket retrieval. This can be set manually, in the source image, or via automation like Intune. The instructions below use the Azure VM Run command.

  1. Add a registry key on each session host to enable Kerberos ticket retrieval.
  2. From the VM in the Azure Portal, go to operations, run command.
  3. Use “RunPowerShellScript to add the registry key to the client.
Run Command to configure clients to retrieve Kerberos tickets

Step 8: Configure Directory and File-Level Permissions

Setting proper ACLs is crucial for preventing users from accessing each other’s profile containers, thus ensuring shared profile container security. Previously, an Active Directory Domain was necessary to handle ACL management. With the new preview update, you can now manage ACLs for cloud-native Azure accounts directly using the “manage access” option.

As of this writing, accessing the new “manage access” functionality requires utilizing the preview portal specified below. Once this feature is integrated into the default Azure portal, use of the preview portal will no longer be necessary.

  1. Open the preview Azure portal located at https://aka.ms/portal/fileperms.
  2. Set NTFS-like permissions:
  3. Admin group: Full control
  4. FSLogix user group: Modify on root folder only
  5. Create Owner: Modify subfolders and files only
Manage Access

Step 9: Enable FSLogix

FSLogix manages profile redirection by saving user profiles on a file share rather than on local disks. In cloud-native environments, group policies cannot be used to configure these settings. Instead, you should use Intune, customization scripts, the Azure run command on the VM, or embed the settings within the image to configure FSLogix.

  • Configure FSLogix settings on each session host:
    • Enable FSLogix
    • Set profile path to the Azure Files share
    • Optional: Configure size, cleanup options, etc.

[Insert screenshot or diagram here]

FSLogix Registry Settings

Step 10: Test the Setup

This step confirms the entire configuration works, cloud-native identities, Kerberos authentication, and FSLogix integration.

  1. Log in to AVD with a cloud-native user.
  2. Verify FSLogix creates a profile container in the Azure Files share.
  3. Check permissions to ensure isolation between users.

[Insert screenshot or diagram here]

Links:

Zero to Hero with Azure Virtual Desktop
https://www.udemy.com/course/zero-to-hero-with-windows-virtual-desktop/?referralCode=B2FE49E6FCEE7A7EA8D4

A Beginner’s Guide to the AZ-900
https://www.udemy.com/course/beginners-guide-az-900/?referralCode=C74C266B74E837F86969

Hybrid Identity with Windows AD and Azure AD
https://www.udemy.com/course/hybrid-identity-and-azure-active-directory/?referralCode=7F62C4C6FD05C73ACCC3

Windows 365 Enterprise and Intune Management
https://www.udemy.com/course/windows-365-enterprise-and-intune-management/?referralCode=4A1ED105341D0AA20D2E

Cloud Native Identity with Azure Files: Entra-only Secure Access for the Modern Enterprise
https://techcommunity.microsoft.com/blog/azurestorageblog/cloud-native-identity-with-azure-files-entra-only-secure-access-for-the-modern-e/4469778?WT.mc_id=AZ-MVP-5004159

Store FSLogix profile containers on Azure Files using Microsoft Entra ID
https://learn.microsoft.com/en-us/fslogix/how-to-configure-profile-container-entra-id-hybrid?WT.mc_id=AZ-MVP-5004159

 Assign share-level permissions
https://learn.microsoft.com/en-us/azure/storage/files/storage-files-identity-auth-hybrid-identities-enable?tabs=azure-portal%2Cregkey&WT.mc_id=AZ-MVP-5004159#assign-share-level-permissions

Update Tags attribute in the application manifest file
https://learn.microsoft.com/en-us/entra/identity/authentication/kerberos?WT.mc_id=AZ-MVP-5004159#how-to-update-tags-attribute-in-application-manifest-file

Configure the clients to retrieve Kerberos tickets
https://learn.microsoft.com/en-us/azure/storage/files/storage-files-identity-auth-hybrid-identities-enable?tabs=azure-portal%2Cregkey&WT.mc_id=AZ-MVP-5004159#configure-the-clients-to-retrieve-kerberos-tickets

Mount the file share with admin-level access
https://learn.microsoft.com/en-us/azure/storage/files/storage-files-identity-configure-file-level-permissions?WT.mc_id=AZ-MVP-5004159#mount-the-file-share-with-admin-level-access

Configure Windows ACLs using the Azure portal

Portal URL:  https://aka.ms/portal/fileperms

https://learn.microsoft.com/en-us/azure/storage/files/storage-files-identity-configure-file-level-permissions?WT.mc_id=AZ-MVP-5004159#configure-windows-acls-using-the-azure-portal

FSLogix recommended ACL(s)
https://learn.microsoft.com/en-us/fslogix/how-to-configure-storage-permissions?WT.mc_id=AZ-MVP-5004159#recommended-acls

Registry settings to configure FSLogix
https://github.com/tsrob50/CiraltosTools

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.
Youtube
Click Here!

About Auther

Travis Roberts is a Cloud Infrastructure Architect, author, and speaker based in Minneapolis, Minnesota.

Contact Info

  • Email
  • 5123 W 98th St #1392 Minneapolis, MN 55437

© copyright 2022. All Rights Reserved.

Scroll to Top