Store FSLogix profile containers on Azure Files using Microsoft Entra ID

Important

An upcoming change to Windows, included in the April 2026 Windows Server update, the default Kerberos encryption type is changing from RC4 to AES-SHA1.

File shares hosting FSLogix containers that aren't upgraded to AES-SHA1 might have access issues after this change is applied. To avoid disruption, complete the upgrade to AES-SHA1 before installing the update.

Customers who have already upgraded to AES-SHA1 aren't affected.

For more information, see the FSLogix blog: Action required: Windows Kerberos hardening (RC4) may affect FSLogix profiles on SMB storage.

In this article, you'll learn how to create and configure an Azure Files share for Microsoft Entra Kerberos authentication. This configuration allows you to store FSLogix profiles to be accessed by different users, based on configuration:

  • By hybrid user identities from Microsoft Entra joined or Microsoft Entra hybrid joined session hosts without requiring network line-of-sight to domain controllers. This feature is supported in the Azure cloud, Azure for US Government, and Azure operated by 21Vianet.
  • By cloud-only identities or external identities. This feature is only supported in the Azure cloud.

Microsoft Entra Kerberos enables Microsoft Entra ID to issue the necessary Kerberos tickets to access the file share with the industry-standard SMB protocol.

Prerequisites

Before deploying this solution, verify that your environment meets the requirements to configure Azure Files with Microsoft Entra Kerberos authentication.

When used for FSLogix profiles in Azure Virtual Desktop, the session hosts don't need to have network line-of-sight to the domain controller (DC). However, a system with network line-of-sight to the DC is required to configure the permissions on the Azure Files share.

Before deploying this solution, verify that your environment meets the requirements to configure Azure Files with Microsoft Entra Kerberos authentication for cloud-only or external identities.

Configure your Azure storage account and file share

To store your FSLogix profiles on an Azure file share:

  1. Create an Azure Storage account if you don't already have one.

    Note

    Your Azure Storage account can't authenticate with both Microsoft Entra ID and a second method like Active Directory Domain Services (AD DS) or Microsoft Entra Domain Services. You can only use one authentication method.

  2. Create an Azure Files share under your storage account to store your FSLogix profiles if you haven't already.

  3. Enable Microsoft Entra Kerberos authentication on Azure Files to enable access from Microsoft Entra joined VMs. This includes the following steps:

    1. Enable Microsoft Entra Kerberos authentication for the storage account. This will create the Entra ID app registration for the storage account and allow you to provide directory and file-level permissions to groups managed through Entra ID.
    2. Assign share-level permissions. You can assign share-level permissions to your users either by configuring default share-level permissions in the identity source page, or by creating Azure Role-based access control (RBAC) roles.
    3. Configure the storage permissions for profile containers. Review the recommended list of permissions for FSLogix profiles for allowing users to create and use their own profile, while also allowing admins to manage the share.

  4. Configure the Entra ID app registration for the storage account to ensure that users can properly acquire tickets for their assigned Entra ID groups.

    1. Grant admin consent to the new service principal. This grants the permissions for users to request Entra ID tokens for the storage account.
    2. Disable multifactor authentication on the storage account. This ensures the user can get the Entra ID token and Kerberos tickets while it happens silently during user logon, since there is no UX to perform step-up authentication.

To store your FSLogix profiles on an Azure file share:

  1. Create an Azure Storage account if you don't already have one.

    Note

    Your Azure Storage account can't authenticate with both Microsoft Entra ID and a second method like Active Directory Domain Services (AD DS) or Microsoft Entra Domain Services. You can only use one authentication method.

  2. Create an Azure Files share under your storage account to store your FSLogix profiles if you haven't already, where you'll be able to manage permissions through a Manage access control.

  3. Enable Microsoft Entra Kerberos authentication on Azure Files to enable access from Microsoft Entra joined VMs. This includes the following steps:

    1. Enable Microsoft Entra Kerberos authentication for the storage account. This will create the Entra ID app registration for the storage account and allow you to provide directory and file-level permissions to groups managed through Entra ID.
    2. Assign share-level permissions. You can assign share-level permissions to your users either by configuring default share-level permissions in the identity source page, or by creating Azure Role-based access control (RBAC) roles.
    3. Configure the storage permissions for profile containers. Review the recommended list of permissions for FSLogix profiles for allowing users to create and use their own profile, while also allowing admins to manage the share. When Entra Kerberos is configured, you'll see a Manage access tab to assign permissions, which is the recommended configuration option for cloud-only and external identity users. Screenshot that shows an Azure file share with the manage access action option available to select. Screenshot that shows the Manage access page, allowing you to add permissions for Entra users or groups, or Security IDs.

  4. Configure the Entra ID app registration for the storage account to ensure that users can properly acquire tickets for their assigned Entra ID groups.

    1. Grant admin consent to the new service principal. This grants the permissions for users to request Entra ID tokens for the storage account.
    2. Disable multifactor authentication on the storage account. This ensures the user can get the Entra ID token and Kerberos tickets while it happens silently during user logon, since there is no UX to perform step-up authentication.
    3. Add an app manifest tag to enable cloud-only groups support. This ensures that Entra will include cloud-only Entra ID groups in the Kerberos ticket, instead of only on-premises groups. When complete, your app manifest should look like this with the kdc_enable_cloud_group_sids added in the tags portion of the app manifest: Screenshots that shows a manifest of an app registration, with the kdc_enable_cloud_group_sids tag added to the tags array.

Configure your local Windows device

To access Azure file shares from a Microsoft Entra joined VM for FSLogix profiles, you must configure the local Windows device your FSLogix profiles are being loaded onto. To configure your device:

  1. Enable the Microsoft Entra Kerberos functionality using one of the following methods.

    Note

    Windows multi-session client operating systems now support this setting provided it is configured with Settings Catalog, where the setting is now available. Learn more at Using Azure Virtual Desktop multi-session with Intune.

    • Enable this Group policy on your device. The path will be one of the following, depending on the version of Windows you use:

    • Administrative Templates\System\Kerberos\Allow retrieving the cloud kerberos ticket during the logon

    • Administrative Templates\System\Kerberos\Allow retrieving the Azure AD Kerberos Ticket Granting Ticket during logon

    • Create the following registry value on your device: reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters /v CloudKerberosTicketRetrievalEnabled /t REG_DWORD /d 1

  1. When you use Microsoft Entra ID with a roaming profile solution like FSLogix, the credential keys in Credential Manager must belong to the profile that's currently loading. This lets you load your profile on many different VMs instead of being limited to just one. To enable this setting, create a new registry value by running the following command:

    reg add HKLM\Software\Policies\Microsoft\AzureADAccount /v LoadCredKeyFromProfile /t REG_DWORD /d 1

    Note

    The session hosts don't need network line-of-sight to the domain controller.

  1. When you use Microsoft Entra ID with a roaming profile solution like FSLogix, the credential keys in Credential Manager must belong to the profile that's currently loading. This lets you load your profile on many different VMs instead of being limited to just one. To enable this setting, create a new registry value by running the following command:

    reg add HKLM\Software\Policies\Microsoft\AzureADAccount /v LoadCredKeyFromProfile /t REG_DWORD /d 1

Configure FSLogix on your local Windows device

This section shows you how to configure your local Windows device with FSLogix. You'll need to follow these instructions every time you configure a device. There are several options available that ensure the registry keys are set on all session hosts. You can set these options in an image or configure a group policy.

To configure FSLogix:

  1. Update or install FSLogix on your device, if needed.

    Note

    If you're configuring a session host created using the Azure Virtual Desktop service, FSLogix should already be pre-installed.

  2. Follow the instructions in Configure profile container registry settings to create the Enabled and VHDLocations registry values. Set the value of VHDLocations to \\<Storage-account-name>.file.core.windows.net\<file-share-name>.

Test your deployment

Once you've installed and configured FSLogix, you can test your deployment by signing in with a user account that's been assigned to an application group on the host pool. The user account you sign in with must have permission to use the file share.

If the user has signed in before, they'll have an existing local profile that the service will use during this session. To avoid creating a local profile, either create a new user account to use for tests or use the configuration methods described in Tutorial: Configure profile container to redirect user profiles to enable the DeleteLocalProfileWhenVHDShouldApply setting.

Finally, verify the profile created in Azure Files after the user has successfully signed in:

  1. Open the Azure portal and sign in with an administrative account.

  2. From the sidebar, select Storage accounts.

  3. Select the storage account you configured for your session host pool.

  4. From the sidebar, select File shares.

  5. Select the file share you configured to store the profiles.

  6. If everything's set up correctly, you should see a directory with a name that's formatted like this: <user SID>_<username>.

Next steps

  • Last updated on