Azure Virtual Desktop with FSLogix profiles is powerful but the storage configuration is finicky. Wrong settings and you'll have slow logins, profile corruption, or access denied errors.
Storage Account Requirements
FSLogix profiles need Azure Files Premium with specific settings:
resource "azurerm_storage_account" "profiles" {
name = "stfslogixprofiles"
resource_group_name = azurerm_resource_group.this.name
location = azurerm_resource_group.this.location
account_tier = "Premium" # Must be Premium for profiles
account_kind = "FileStorage" # Not StorageV2!
account_replication_type = "LRS"
# Don't enable hierarchical namespace
is_hns_enabled = false
}
Why Premium FileStorage?
- Low latency for profile operations
- Provisioned IOPS and throughput
- SMB Multichannel support
- Better user experience
Standard tier will work but login times suffer.
File Share Configuration
resource "azurerm_storage_share" "profiles" {
name = "profiles"
storage_account_name = azurerm_storage_account.profiles.name
quota = 1024 # GB - size for Premium = provisioned IOPS
enabled_protocol = "SMB"
}
Premium tier IOPS scale with share size:
- 100 GB = 500 IOPS baseline
- 1 TB = 1,000 IOPS baseline
- Plus burst up to 4,000 IOPS
AD Authentication
For proper NTFS permissions, the storage account needs AD authentication:
Option 1: Entra Kerberos (Cloud-only)
resource "azurerm_storage_account" "profiles" {
# ... other config ...
azure_files_authentication {
directory_type = "AADKERB"
}
}
Limitation: Only works with hybrid-joined users (synced from on-prem AD).
Option 2: AD DS Join
For full functionality, domain-join the storage account using the AzFilesHybrid module:
Import-Module AzFilesHybrid
Join-AzStorageAccount `
-ResourceGroupName "rg-avd" `
-StorageAccountName "stfslogixprofiles" `
-DomainAccountType "ComputerAccount" `
-OrganizationalUnitDistinguishedName "OU=Storage,DC=corp,DC=local"
This creates a computer object in AD for the storage account.
NTFS Permissions
After AD integration, set NTFS permissions on the share:
# Map the drive with storage key first
$storageKey = (Get-AzStorageAccountKey -ResourceGroupName "rg-avd" -AccountName "stfslogixprofiles")[0].Value
net use Z: \\stfslogixprofiles.file.core.windows.net\profiles /user:Azure\stfslogixprofiles $storageKey
# Set permissions
icacls Z: /grant "CORP\AVD-Users:(M)"
icacls Z: /grant "Creator Owner:(OI)(CI)(IO)(M)"
icacls Z: /remove "Authenticated Users"
icacls Z: /remove "Users"
FSLogix GPO Settings
Key registry settings (or via GPO):
HKLM\Software\FSLogix\Profiles
Enabled = 1 (DWORD)
VHDLocations = \\stfslogixprofiles.file.core.windows.net\profiles (REG_SZ)
DeleteLocalProfileWhenVHDShouldApply = 1 (DWORD)
FlipFlopProfileDirectoryName = 1 (DWORD)
SizeInMBs = 30000 (DWORD)
VolumeType = VHDX (REG_SZ)
Troubleshooting
Slow logins:
- Check storage tier (Premium?)
- Check share size vs IOPS needed
- Enable SMB Multichannel
- Check network latency to storage
Access denied:
- Verify AD authentication is configured
- Check NTFS permissions on share
- Verify user is in the correct group
Profile corruption:
- Enable FSLogix logging
- Check concurrent session settings
- Verify antivirus exclusions
Private Endpoint Setup
For production, use private endpoints:
resource "azurerm_private_endpoint" "profiles" {
name = "pe-fslogix-profiles"
location = azurerm_resource_group.this.location
resource_group_name = azurerm_resource_group.this.name
subnet_id = azurerm_subnet.private_endpoints.id
private_service_connection {
name = "psc-profiles"
private_connection_resource_id = azurerm_storage_account.profiles.id
subresource_names = ["file"]
is_manual_connection = false
}
}
Need help with Azure Virtual Desktop? Get in touch - we help organisations deploy and optimise AVD environments.