Thanks Brian! Appreciate the feedback ☺️

Thanks Kunal

Thanks!

Congratulations Jim!!! 👍☺️🎈🎉🍰🙌👏🎊👍 Thanks for letting me know!

Congrats!🥳 I plan to take the exam in mid February, myself.

Awesome, DM me when you pass!

@@AzureAcademy Just passed it today! I messaged you on Patreon!

Congratulations!!!

Thanks Maziar! I’ll see you at the Master Class

Happy to help

Thank you Pawel…Hello Poland! ☺️

Thanks +Pawel G and HELLOOOO Poland ☺️

Anytime Anirudh! What other knowledge are you seeking ☺️

Thanks!

🤣😂😄😊

😎 anytime!

Anytime

Those are new, I got one for the 2022 AVD Master class that I am key noting with Kam VedBrat sign up for all the fun and prides! - lnkd.in/ef-_rvcE

@@AzureAcademy already signed up, I hope you’re taking your light sabre. :)

LOL I always have my LightSaber with my…”This weapon is your life!”

Thanks Juned, great question…however we don’t know yet. Azure AD Kerberos doesn’t support anything yet other then Azure Files

I helped write this FSLogix for the enterprise doc…there is a best practice section - docs.microsoft.com/en-us/azure/architecture/example-scenario/wvd/windows-virtual-desktop-fslogix#best-practice-settings-for-enterprises

I haven’t tried app attach yet…I believe it should because the VMs are Azure AD Joined and MSIX needs VM level permissions on the storage

Yes…once everything is done I am hoping that enabling this will be a check box and maybe even setting the FSLogix configuration inside the Azure Portal…stay tuned!

For me the WVD admins own the resources and have all the permissions to do anything. Inside the session host VM they have Admin rights. The WVDUsers group only gets access to the application groups so they can open a remote app or desktop. Inside the session host VM they are ordinary users.

@@AzureAcademy Thank you for your swift reply and kind assistance. Have a great day. Ciao

Anytime Faddy!

I’m not sure what you mean? Are you asking if you can set up Azure AD Kerberos on existing storage accounts and file shares…YES you can

No, Azure ADDS is NOT supported yet

Yes FSLOGIX is AVDs profile management solution. FSLogix does NOT require AADDS. The way you set up FSLogix depends on the join type of your VMs. Watch this for all the answers kzfaq.info/get/bejne/otxynK-bnNWld2g.htmlsi=dwHhMoPDcBrw_XaC

Great questions Kim, Yes, password hash sync is a minimum requirement for the authentication to work. Reason is that Pass through auth redirects the auth request to a domain controller…and DCs are not part of this experience

The default behavior is to attach user profile VHD files to the session host as the user account. AccessNetworkAsComputerObject changes this to attach using the computer instead In Azure files we grant the permissions to the user, so this would not work, because we aren’t giving the computer any permissions today. If the way we permission Azure Files changes, then you could use this feature

Thanks for the explanation! I tried it saving the storage account key in the credential store of the SYSTEM account of the session host, and it works: users can successfully log on with their containers stored in the Azure Files share. But I guess this is not a valid way to set it up?

What is your reason for wanting to NOT use the default user authentication?

Thanks for your support. As for the cloud only experience…Watch this follow up video kzfaq.info/get/bejne/Z9OjerR2v8W3m4k.html

@@AzureAcademy Oh, I somehow didn't see/find that. Thank you very much! I'll have a look at it straight away!

No worries! Let me know what your think!

@@AzureAcademy Great, thank you very much! Is it possible to manage the rights on the file share? I have now included the file share thanks to the video. But every user has access to every file.

That was one of the drawbacks i mentioned in the video with the storage account key option, there is no further granular control. Which means all local admin‘s have access to the file share. As far as user access goes, there is no concern because the users don’t actually have access, the VM system account does.

I know how you feel…I am waiting for it too, not to mention all the customers I work with who are waiting. The Azure AD Kerberos feature is a dependency for the AVD side to move forward, so support and feature advancement on this side has to wait for the feature and support on the Azure AD side. I don’t have any specifics that I can share at this time…all I can say is stay tuned!

@@AzureAcademyHi Dean, great content...gives me a headache though🙃So much info to absorb. I am replying in this comment thread as I am deploying similar to the original commentor and am also using Nerdio...it's 2 years later (now March 2024). I have started on an instance where I will have AVD and a file server to run Quickbooks & Lacerte (tax prep software)....database services need to run on a file server. Cloud only. At this point I haven't yet gotten to the AVD part. Just currently dealing with the file server VM. It is Entra joined with a managed disk. I just can't seem to understand what I need to configure the file shares on that server so that they will be available to AVD users. Hope you can shed some light in the right direction. Thanks for all your efforts in attempt to educate us.

If you have a VM running a file server function then you share it like any other file share Set the NTFS permissions and the share permissions on the share for the AVD users to access it If it is an Azure Files share…then you have to pick if you want to use Active Directory Auth or Entra ID Kerberos Auth, like I showed in this video Then you set those permissions for the AVD Users and you are done

@@AzureAcademyHi Dean, thanks for the reply. When I try to select the security principal, the Entra domain does not show up, only the machine domain itself (local), and the machine is Entra Joined. I checked with dsregcmd /status. Is this because this is a managed disk and not a storage account with a file share? Also I haven't run the powershell code you refer to. Is that still necessary now being Entra in 2024? Thanks in advance. One other thing...I am reading thru all the other comments here...especially the set started by @rg75293...seems to indicate this regular AD & hybrid sync is still needed...still today in 2024? I know you have some videos that talk about 100% cloud only...but this is not very clear at all. Perhaps another video is necessary to clear up the confusion (I am glad to see that I am not the only one...this is VERY confusing). And you can see with my question here, it's not just about AVD & FSLogix, but about typical file servers & file shares as well. We need true Cloud Only Identity, Authentication & Access. Smaller companies don't have DCs. And again much appreciated and thanks for your patience with all of us. 🙃

If you want to use Entra ID Kerberos Auth, then YES even in 2024, you need synced users and a domain controller running the PowerShell script. This is because the PowerShell sets up a type of Domain Trust between Entra and your AD Domain

As of TODAY in the preview…YES. But the goal is to NOT have hybrid users…so we can be 100% cloud and not need active directory at all

@@AzureAcademy What is the reason behind that? I am looking all over the internet and cannot find a straight answer... Does it have to do with the fact that the Kerberos auth needs the user to be registered to a given domain comming through AD Connect? Thanks!

Nothing to do with Azure AD Connect directly… Azure AD Kerberos realm presents a Kerberos ticket to the user so they can authenticate back to a domain controller to validate permissions… To do that the domain controller needs a user account to authenticate against…hence Hybrid users - make sense now?

@@AzureAcademy Thanks for the answer Dean ! The kindness and promptness are much appreciated. To be honest it's still a bit fuzzy. what DC are we talking about exactly? My understanding is that Azure AD is not a DC but acts as a KDC. Also we don't have a line of sight on the On Prem DC, just identities syncing. Therefore I don't understand what role the On Prem DC could have here. I ended up reading that the hybrid identities were needed because the SMB share level permission is configured against the identity represented in Azure AD while the directory/file level permission is enforced with that in AD DS. So the principal has to have both attributes and can only retrieve the second from the On Prem id... Is this relevant here or am I completely off topic?

There are 2 different implementations for file services Paul. #1 basic auth #2 auth+NTFS PERMISSIONS In basic auth, Azure AD is the KDC and storage is the service and the user is what’s authenticated…no domain controller needed Users will get basically full control In #2 We want granular permissions in the file share Azure AD is still the KDC Your Active Directory name and GUID are needed to locate your domain controller Permissions need to be assign fin the storage account/file share for SMB share contributor and SMB share elevated contributor for ADMIN rights Then you setup windows NTFS permissions Hybrid users are needed here to find the user in the domain and assign NTFS permissions. Does that help