Set up Azure Files storage for User personalization layers and Citrix Profile Management
Azure Files offers fully managed file shares in the cloud, and accessible using Server Message Block (SMB) protocol. Azure Files shares can be mounted simultaneously in the cloud and on-premises, on Windows, Linux, or macOS.
Azure Files support for on-premises Active Directory Domain Service Authentication enables Citrix User personalization layers and Citrix Profile Management to use Azure Files. For more about Active Directory Domain Service Authentication, see on-premises Active Directory Service Authentication over SMB for Azure File shares. This article explains how to set up Azure Files to use with Citrix User personalization layers and Citrix Profile Management.
Before you set up User personalization layers or Profile Management, set up Azure Files using the following steps:
- Step 1: Synchronize Azure AD with your on-premises AD
- Step 2: Create Azure Files share
- Step 3: Enable Azure Files AD DS Authentication
- Step 4: Assign share level and NTFS permissions
Step 1: Synchronize Azure AD with your on-premises AD
To use Azure Files with AD Authentication, Synchronize your on-premises AD with Azure AD, using Azure AD Connect.
- The Azure AD tenant and the file share that are used for user personalization layers or Profile Management must be associated with the same subscription.
- The accounts being used must be created in the domain controller and synchronized to Azure AD. Accounts sourced from Azure AD are not appropriate.
After the Synchronization completes, give it some time for Users and Groups to be replicated to Azure AD before you proceed.
Step 2: Create Azure Files share
This procedure explains how to create an Azure Files file share for storing your user layers and profiles.
Currently, there are two tiers of Azure Files, Standard and Premium. Choose the appropriate tier based on your performance requirements. For more about Azure Files performance, refer to Azure Files scalability and performance targets.
This document explains how to set up Standard storage as an example.
- Open the Azure Portal.
- Click Create a resource.
- Select Storage account – blob, file, table, queue.
- Enter the following information into the Create storage account page:
- For Resource Group, click Create new.
- For Storage account, enter a unique name.
- For Location, we recommend you choose the same location as the Virtual Delivery Agents (VDAs) in the Azure resource location.
- For Performance, select Standard. (example choice)
- For Account kind, select StorageV2.
- For Replication, select Locally-redundant storage (LRS).
- When you’re done, select Review + create, then select Create.
- Once storage accounts provisions, select Go to resource.
- On the Overview page, select File shares tile.
- Select +File share.
- Enter a Name, for example uplfolder.
- Enter an appropriate Quota, or leave the field blank for no quota.
- Select Create.
For further details, refer to Create an Azure file share.
Step 3: Enable Azure Files AD Authentication
Use the instructions in this section to enable Azure Files AD Authentication. You need to run these commands from any machine that is already domain-joined. This action is a one-time task. The VM used to run the process is not needed for the solution once the task is complete.
- Use Remote Desktop Protocol (RDP) to connect to the domain-joined virtual machine.
- To install the AzFilesHybrid module and enable authentication, follow the instructions in Enable AD DS authentication for your Azure file shares.
Before proceeding to the next step, validate that Azure Files AD Authentication is enabled as follows:
- Open the Azure portal.
- Open your storage account that is tied to your Azure Files.
- Under Setting, select Configuration, and confirm that Active Directory (AD) is set to Enabled.
Step 4: Assign share level and NTFS permissions
Before assigning user personalization layers and profiles to users and groups, configure the appropriate access to the Azure Files file share.
The accounts or groups to which you assign permissions must be created in the domain and synchronized with Azure AD. Accounts created in Azure AD are not supported.
Assign share level permissions to users
The following section describes how to set the share level permissions:
- Open the Azure portal.
- Open the storage account you created in Step 2.
- Select Access Control (IAM).
- Select Add a role assignment.
- In the Add role assignment tab, select Storage File Data SMB Share Elevated Contributor for the Share administrator account.
- Then select Storage File Data SMB Share Contributor for the users or groups that are assigned user personalization layers and profiles.
- Select Save.
The permissions can take up to 30 minutes before they fully take effect. Give it some time before you proceed to next step.
For details, refer to the Assign share-level permissions to an identity.
Configure your NTFS permissions on the shared folder
Once you have assigned your file share permissions, configure your NTFS permissions.
To configure directory and file level NTFS permissions:
- Open the Azure portal.
- Open the storage account you created in step 3.
- Click the File Share tile
- Click the share name you created, for example uplshare.
- Click Properties.
- Copy the URL link.
- After copying the URL, convert it into the UNC format:
- Replace all forward slashes
//with back slashes
\\. For example:
- Using RDP, connect to a virtual machine that is domain joined.
- Open a command prompt, and run the following cmdlet to mount the Azure file share and assign it a drive letter:
net use <drive-letter> UNC-pathExample:
net use S:\ \\uplshare.file.core.windows.net\uplfolder
- Once the share is mounted, set the following permissions on the mounted share.
|Setting name||Value||Apply to|
|Creator Owner||Modify||Subfolders and Files only|
|Owner Rights||Modify||Subfolders and Files only|
|Users or group:||Create Folder/Append Data; Traverse Folder/Execute File; List Folder/Read Data; Read Attributes||Selected Folder Only|
|System||Full Control||Selected Folder, Subfolders, and Files|
|Domain Admins, and selected Admin group||Full Control||Selected Folder, Subfolders, and Files|
Set up the User personalization layers and profiles
Next, you can configure User personalization layers and profiles. Follow the instructions for deploying User personalization layers and Profile Management quick start guide. Use the UNC path described in Step 4 for the User Layer Repository Path.