Azure Files share
Nerdio Manager leverages Azure Files share technology to store MSIX AppAttach packages and associated metadata. You can use an existing Azure Files share or create a new one with Nerdio Manager (video tutorial). The Azure Files share MUST be AD-integrated to be used as an AppAttach storage location in Nerdio Manager.
Once you've created an Azure Files share and joined it to your AD domain, you must configure security settings on the share to allow session hosts and users to read the contents of the AppAttach packages. With Azure Files, there are two places where these security settings are configured.
- Azure Files Access
- NTFS permissions
In these two places, both the session host VM computer and user who will use the application must have at least reader access. The good news is that the default NTFS permissions on newly created Azure Files shares already have the necessary configuration. However, Azure Files share Access Control still needs to be configured.
This is an easy method to give all current and future session host VMs access to the Azure Files shares.
- In Active Directory, create a new Global Security group in an OU that is being synched to Azure AD with ADConnect
- Add Domain Computers and Domain Users to the new group
- In Azure Portal, find your Azure Files share and go to Access Control
- Add the new security group with Storage File Data SMB Share Reader role (you may need to wait for the next sync cycle for new groups to be available in AzureAD)
The end result will be read-only access to the Azure Files share by all domain users and computers. Feel free to customize the above procedure to suite your organization's security policies.