Great news! You can now deploy Azure Virtual Desktop (AVD) with FSLogix using Entra-only identities and Azure Files—no domain controllers required. This is a game-changer for organizations moving toward a fully cloud-native architecture.
Why This Matters
Traditionally, using FSLogix with AVD meant relying on Active Directory or Entra Domain Services. That added complexity and infrastructure costs. With this new preview feature, you can manage everything in Microsoft Entra ID, configure Azure Files for profile containers, and eliminate on-prem dependencies.
What You’ll Learn
In this video and guide, you’ll learn the essential steps for setting FSLogix using Entra-only identities and Azure Files. We’ll walk you through enabling Entra Kerberos Authentication on Azure Files, assigning share-level permissions for cloud-only identities, and configuring FSLogix profiles specifically for AVD. In addition, the guide will explain how to set file and folder-level permissions within Azure, and provide instructions for testing the setup using Windows 11 session hosts.
Video Walkthrough
The steps outlined below were employed in the accompanying video to illustrate the process of developing a functional example.
Prerequisites
Before you begin, keep these key requirements in mind:
- Windows 11 Enterprise or Pro (single or multi-session) or Windows Server 2025 with latest updates.
- Azure Files storage account, Premium Provisioned V2 or v2 recommended.
- AVD host pool with Entra ID joined session hosts.
- This preview feature is only available in the Azure public cloud.
Step 1: Enable Microsoft Entra Kerberos Authentication
This step connects your Azure Files storage account to Entra ID for Kerberos-based authentication.
- In the Azure portal, open the storage account.
- Navigate to File Shares > Identity-based access.
- Select Set up under Microsoft Entra Kerberos and check the box.
- Leave domain services options blank (cloud-native only).
- Click Save and Close.
Step 2: Assign Default Share-Level Permissions
The following steps configures the default share-level permissions for your storage account. As of the time this video and blog were published, only cloud-based identities support these default share-level permissions. Share-level permissions are set for every share and all authenticated users on the storage account.
- Go to Default share-level permissions from the Identity-based access window.
- Enable it and select Storage File Data SMB Share Contributor.
- Click Save.
Step 3: Create the File Share and Profile Directory
FSLogix needs a dedicated location for profile containers. Organizing profiles in a separate folder inside the share improves manageability.
- Create a new file share and give it a name.
- Set capacity (e.g., minimum size for testing).
- Disable backups for this demo (recommend enabling for the production).
- Create a folder inside the share for the profiles.
Step 4: Grant Admin Consent to the Service Principal
The next step is to grand admin consent to the service principal. This step authorizes the storage account to use Entra Kerberos for authentication. Without this, Kerberos tickets can’t be issued.
- Go to Entra ID > App Registrations > All Applications.
- Locate the storage account app (the name starts with: [Storage Account].
- Under API Permissions, click Grant admin consent.
Step 5: Enable Cloud-Only Group Support
The next step is to update the Tags attribute in the application manifest file. This allows permissions to be assigned to Entra groups instead of individual users. This step is required or authentication will fail.
- Locate the Tags attribute in the application manifest file.
- Add the required JSON line (“kdc_enable_cloud_group_sids”) as per Microsoft documentation (link below).
- Save changes.
Step 6: Disable MFA for Storage Account Access
Entra Kerberos doesn’t support MFA for file share access. If MFA is enforced when accessing the storage account, users will be blocked.
- Review Conditional Access policies.
- Locate any policies that apply to the FSLogix users and targets all applications.
- Exclude the storage account from MFA enforcement.
Step 7: Configure Clients to Retrieve Kerberos Tickets
AVD session hosts require Kerberos tickets to authenticate to Azure Files without user prompts. Add the registry key below on each AVD client to enable ticket retrieval. This can be set manually, in the source image, or via automation like Intune. The instructions below use the Azure VM Run command.
- Add a registry key on each session host to enable Kerberos ticket retrieval.
- From the VM in the Azure Portal, go to operations, run command.
- Use “RunPowerShellScript to add the registry key to the client.
Step 8: Configure Directory and File-Level Permissions
Setting proper ACLs is crucial for preventing users from accessing each other’s profile containers, thus ensuring shared profile container security. Previously, an Active Directory Domain was necessary to handle ACL management. With the new preview update, you can now manage ACLs for cloud-native Azure accounts directly using the “manage access” option.
As of this writing, accessing the new “manage access” functionality requires utilizing the preview portal specified below. Once this feature is integrated into the default Azure portal, use of the preview portal will no longer be necessary.
- Open the preview Azure portal located at https://aka.ms/portal/fileperms.
- Set NTFS-like permissions:
- Admin group: Full control
- FSLogix user group: Modify on root folder only
- Create Owner: Modify subfolders and files only
Step 9: Enable FSLogix
FSLogix manages profile redirection by saving user profiles on a file share rather than on local disks. In cloud-native environments, group policies cannot be used to configure these settings. Instead, you should use Intune, customization scripts, the Azure run command on the VM, or embed the settings within the image to configure FSLogix.
- Configure FSLogix settings on each session host:
- Enable FSLogix
- Set profile path to the Azure Files share
- Optional: Configure size, cleanup options, etc.
[Insert screenshot or diagram here]
Step 10: Test the Setup
This step confirms the entire configuration works, cloud-native identities, Kerberos authentication, and FSLogix integration.
- Log in to AVD with a cloud-native user.
- Verify FSLogix creates a profile container in the Azure Files share.
- Check permissions to ensure isolation between users.
[Insert screenshot or diagram here]
Links:
Zero to Hero with Azure Virtual Desktop
https://www.udemy.com/course/zero-to-hero-with-windows-virtual-desktop/?referralCode=B2FE49E6FCEE7A7EA8D4
A Beginner’s Guide to the AZ-900
https://www.udemy.com/course/beginners-guide-az-900/?referralCode=C74C266B74E837F86969
Hybrid Identity with Windows AD and Azure AD
https://www.udemy.com/course/hybrid-identity-and-azure-active-directory/?referralCode=7F62C4C6FD05C73ACCC3
Windows 365 Enterprise and Intune Management
https://www.udemy.com/course/windows-365-enterprise-and-intune-management/?referralCode=4A1ED105341D0AA20D2E
Cloud Native Identity with Azure Files: Entra-only Secure Access for the Modern Enterprise
https://techcommunity.microsoft.com/blog/azurestorageblog/cloud-native-identity-with-azure-files-entra-only-secure-access-for-the-modern-e/4469778?WT.mc_id=AZ-MVP-5004159
Store FSLogix profile containers on Azure Files using Microsoft Entra ID
https://learn.microsoft.com/en-us/fslogix/how-to-configure-profile-container-entra-id-hybrid?WT.mc_id=AZ-MVP-5004159
Assign share-level permissions
https://learn.microsoft.com/en-us/azure/storage/files/storage-files-identity-auth-hybrid-identities-enable?tabs=azure-portal%2Cregkey&WT.mc_id=AZ-MVP-5004159#assign-share-level-permissions
Update Tags attribute in the application manifest file
https://learn.microsoft.com/en-us/entra/identity/authentication/kerberos?WT.mc_id=AZ-MVP-5004159#how-to-update-tags-attribute-in-application-manifest-file
Configure the clients to retrieve Kerberos tickets
https://learn.microsoft.com/en-us/azure/storage/files/storage-files-identity-auth-hybrid-identities-enable?tabs=azure-portal%2Cregkey&WT.mc_id=AZ-MVP-5004159#configure-the-clients-to-retrieve-kerberos-tickets
Mount the file share with admin-level access
https://learn.microsoft.com/en-us/azure/storage/files/storage-files-identity-configure-file-level-permissions?WT.mc_id=AZ-MVP-5004159#mount-the-file-share-with-admin-level-access
Configure Windows ACLs using the Azure portal
Portal URL: https://aka.ms/portal/fileperms
FSLogix recommended ACL(s)
https://learn.microsoft.com/en-us/fslogix/how-to-configure-storage-permissions?WT.mc_id=AZ-MVP-5004159#recommended-acls
Registry settings to configure FSLogix
https://github.com/tsrob50/CiraltosTools
3 thoughts on “AVD + FSLogix Without Domain Controllers: A Complete Cloud-Native Setup”
Dear Travis,
First of all, thank you very much for the excellent video tutorial. Believe it or not, it was an absolute lifesaver. I had to set up an AVD environment for the first time without any prior experience. And—believe it or not—I needed exactly the setup you demonstrated (cloud-only VM with FSLogix). Quite a coincidence that you published the video on November 25th, 2025, and I ended up needing it just one week later.
Thanks to your great video, your references, Copilot, ChatGPT, my intuition, and a good amount of patience, I actually managed to get FSLogix fully working in a pure cloud environment—on the very first attempt! I even got user and admin permissions configured correctly on the VM. So yes, I’m absolutely thrilled.
I do have one small but important note:
After my VM was running perfectly, I tried to change the time and region settings to “Switzerland.” However, I was unable to get the correct time to display in the VM. Unfortunately, I don’t know why. The time was always off by one hour. By default, everything was set to English/US, even though the “Switzerland North” datacenter was selected.
In the end, I manually corrected the time—and afterward, I was unable to sign in to the VM. This happened because I had configured FSLogix to block sign-ins if an error occurs. My suspicion is that due to the time change, Kerberos tickets could no longer be exchanged between the storage and the VM. Essentially, I locked myself out. Luckily, I was able to fix the issue via PowerShell in the Azure console.
Do you have any tips for me? Could you try reproducing this yourself?
I also attempted to sign in using the local administrator account of the VM, but that didn’t work either. I assume this is also related to the FSLogix settings “block login on error” or “temporary profile login denial.” I guess I would need to exclude the local admin from FSLogix processing.
Thanks again for the great Azure videos.
Best regards,
Sebastian
Hello Sebastian,
Try setting the local session host time to the correct time zone and then enable time zone redirection on the session hosts. Time zone redirection can be set with GPO or a registry change. Here is a link to the settings. https://techcommunity.microsoft.com/discussions/azurevirtualdesktopforum/per-user-time-zone-settings-avd-windows-11-multi-session/4397480
Thanks,
Travis
Hi Travis,
Very nice walkthrough, thanks! I just wonder about one thing. How do we set the local Include and Exclude groups for FSLogix? Which groups can we use there and how to configure?