Merge pull request Azure#527 from Azure/aad-fslogix

FSLogix DSC package AAD logic update
ARPA-H · Nov 6, 2023 · 1b8ea28 · 1b8ea28
2 parents 2c8145f + cc64c7c
commit 1b8ea28
Show file tree

Hide file tree

Showing 8 changed files with 482 additions and 474 deletions.
diff --git a/workload/arm/deploy-baseline.json b/workload/arm/deploy-baseline.json
diff --git a/workload/bicep/deploy-baseline.bicep b/workload/bicep/deploy-baseline.bicep
@@ -1092,12 +1092,12 @@ module wrklKeyVault '../../carml/1.3.0/Microsoft.KeyVault/vaults/deploy.bicep' =
                 }
                 {
                     name: 'domainJoinUserName'
-                    value: 'AAD-Joined-Deployment-No-Domain-Credentials'
+                    value: 'NoUsername'
                     contentType: 'Domain join credentials'
                 }
                 {
                     name: 'domainJoinUserPassword'
-                    value: 'AAD-Joined-Deployment-No-Domain-Credentials'
+                    value: 'NoPassword'
                     contentType: 'Domain join credentials'
                 }
             ]
@@ -1152,6 +1152,7 @@ module fslogixAzureFilesStorage './modules/storageAzureFiles/deploy.bicep' = if
     name: 'Storage-FSLogix-${time}'
     params: {
         storagePurpose: 'fslogix'
+        vmLocalUserName: avdVmLocalUserName
         fileShareName: varFslogixFileShareName
         fileShareMultichannel: (fslogixStoragePerformance == 'Premium') ? true : false
         storageSku: varFslogixStorageSku
@@ -1195,6 +1196,7 @@ module msixAzureFilesStorage './modules/storageAzureFiles/deploy.bicep' = if (cr
     name: 'Storage-MSIX-${time}'
     params: {
         storagePurpose: 'msix'
+        vmLocalUserName: avdVmLocalUserName
         fileShareName: varMsixFileShareName
         fileShareMultichannel: (msixStoragePerformance == 'Premium') ? true : false
         storageSku: varMsixStorageSku

diff --git a/workload/bicep/modules/storageAzureFiles/.bicep/azureFilesDomainJoin.bicep b/workload/bicep/modules/storageAzureFiles/.bicep/azureFilesDomainJoin.bicep
@@ -18,13 +18,7 @@ param scriptArguments string
 
 @secure()
 @sys.description('Domain join user password.')
-param domainJoinUserPassword string
-
-// =========== //
-// Variable declaration //
-// =========== //
-
-var varscriptArgumentsWithPassword = '${scriptArguments} -DomainAdminUserPassword ${domainJoinUserPassword} -verbose'
+param adminUserPassword string
 
 // =========== //
 // Deployments //
@@ -42,7 +36,7 @@ resource dscStorageScript 'Microsoft.Compute/virtualMachines/extensions@2022-08-
     settings: {}
     protectedSettings: {
       fileUris: array(baseScriptUri)
-      commandToExecute: 'powershell -ExecutionPolicy Unrestricted -File ${file} ${varscriptArgumentsWithPassword}'
+      commandToExecute: 'powershell -ExecutionPolicy Unrestricted -File ${file} ${scriptArguments} -AdminUserPassword ${adminUserPassword} -verbose'
     }
   }
 }
diff --git a/workload/bicep/modules/storageAzureFiles/deploy.bicep b/workload/bicep/modules/storageAzureFiles/deploy.bicep
@@ -43,6 +43,9 @@ param wrklKvName string
 @sys.description('AVD session host domain join credentials.')
 param domainJoinUserName string
 
+@sys.description('AVD session host local admin credentials.')
+param vmLocalUserName string
+
 @sys.description('Azure Files storage account SKU.')
 param storageSku string
 
@@ -109,7 +112,8 @@ var varAvdFileShareMetricsDiagnostic = [
 var varWrklStoragePrivateEndpointName = 'pe-${storageAccountName}-file'
 var varDirectoryServiceOptions = (identityServiceProvider == 'AADDS') ? 'AADDS': (identityServiceProvider == 'AAD') ? 'AADKERB': 'None'
 var varSecurityPrincipalName = !empty(securityPrincipalName)? securityPrincipalName : 'none'
-var varStorageToDomainScriptArgs = '-DscPath ${dscAgentPackageLocation} -StorageAccountName ${storageAccountName} -StorageAccountRG ${storageObjectsRgName} -StoragePurpose ${storagePurpose} -DomainName ${identityDomainName} -IdentityServiceProvider ${identityServiceProvider} -AzureCloudEnvironment ${varAzureCloudName} -SubscriptionId ${workloadSubsId} -DomainAdminUserName ${domainJoinUserName} -CustomOuPath ${storageCustomOuPath} -OUName ${ouStgPath} -ShareName ${fileShareName} -ClientId ${managedIdentityClientId} -SecurityPrincipalName ${varSecurityPrincipalName} -StorageAccountFqdn ${storageAccountFqdn} '
+var varAdminUserName = (identityServiceProvider == 'AAD') ? vmLocalUserName : domainJoinUserName
+var varStorageToDomainScriptArgs = '-DscPath ${dscAgentPackageLocation} -StorageAccountName ${storageAccountName} -StorageAccountRG ${storageObjectsRgName} -StoragePurpose ${storagePurpose} -DomainName ${identityDomainName} -IdentityServiceProvider ${identityServiceProvider} -AzureCloudEnvironment ${varAzureCloudName} -SubscriptionId ${workloadSubsId} -AdminUserName ${varAdminUserName} -CustomOuPath ${storageCustomOuPath} -OUName ${ouStgPath} -ShareName ${fileShareName} -ClientId ${managedIdentityClientId} -SecurityPrincipalName ${varSecurityPrincipalName} -StorageAccountFqdn ${storageAccountFqdn} '
 // =========== //
 // Deployments //
 // =========== //
@@ -190,7 +194,7 @@ module addShareToDomainScript './.bicep/azureFilesDomainJoin.bicep' = {
         name: managementVmName
         file: storageToDomainScript
         scriptArguments: varStorageToDomainScriptArgs
-        domainJoinUserPassword: avdWrklKeyVaultget.getSecret('domainJoinUserPassword')
+        adminUserPassword: (identityServiceProvider == 'AAD') ? avdWrklKeyVaultget.getSecret('vmLocalUserPassword') : avdWrklKeyVaultget.getSecret('domainJoinUserPassword')
         baseScriptUri: storageToDomainScriptUri
     }
     dependsOn: [

diff --git a/workload/scripts/DSCStorageScripts.zip b/workload/scripts/DSCStorageScripts.zip
diff --git a/workload/scripts/DSCStorageScripts/Configuration.ps1 b/workload/scripts/DSCStorageScripts/Configuration.ps1
@@ -58,15 +58,15 @@ param
 
     [Parameter(Mandatory = $true)]
     [ValidateNotNullOrEmpty()]
-    [string] $DomainAdminUserName,
+    [string] $AdminUserName,
 
     [Parameter(Mandatory = $true)]
     [ValidateNotNullOrEmpty()]
     [string] $StorageAccountFqdn,
 
     [Parameter(Mandatory = $true)]
     [ValidateNotNullOrEmpty()]
-    [string] $DomainAdminUserPassword
+    [string] $AdminUserPassword
 )
 
 
@@ -124,21 +124,22 @@ Configuration DomainJoinFileShare
 
         [Parameter(Mandatory = $true)]
         [ValidateNotNullOrEmpty()]
-        [string] $DomainAdminUserName,
+        [string] $AdminUserName,
 
         [Parameter(Mandatory = $true)]
         [ValidateNotNullOrEmpty()]
         [string] $StorageAccountFqdn,
 
         [Parameter(Mandatory = $true)]
         [ValidateNotNullOrEmpty()]
-        [string] $DomainAdminUserPassword
+        [string] $AdminUserPassword
     )
 
     # Import the module that contains the File resource.
     Import-DscResource -ModuleName PsDesiredStateConfiguration
-    $secStringPassword = ConvertTo-SecureString $DomainAdminUserPassword -AsPlainText -Force
-    $DomainAdminCred = New-Object System.Management.Automation.PSCredential ($DomainAdminUserName, $secStringPassword)
+
+    $secStringPassword = ConvertTo-SecureString $AdminUserPassword -AsPlainText -Force
+    $AdminCred = New-Object System.Management.Automation.PSCredential ($AdminUserName, $secStringPassword)
 
     $ErrorActionPreference = 'Stop'
 
@@ -201,7 +202,7 @@ Configuration DomainJoinFileShare
                 }
             }
 
-            PsDscRunAsCredential = $DomainAdminCred
+            PsDscRunAsCredential = $AdminCred
         }
     }
 }
@@ -216,4 +217,4 @@ $config = @{
     )
 }
 
-DomainJoinFileShare -ConfigurationData $config -StorageAccountName $StorageAccountName -StorageAccountRG $StorageAccountRG -SubscriptionId $SubscriptionId -ShareName $ShareName -DomainName $DomainName -IdentityServiceProvider $IdentityServiceProvider -AzureCloudEnvironment $AzureCloudEnvironment -CustomOuPath $CustomOuPath -OUName $OUName -DomainAdminUserName $DomainAdminUserName -DomainAdminUserPassword $DomainAdminUserPassword -ClientId $ClientId -SecurityPrincipalName $SecurityPrincipalName -StoragePurpose $StoragePurpose -StorageAccountFqdn $StorageAccountFqdn -Verbose;
+DomainJoinFileShare -ConfigurationData $config -StorageAccountName $StorageAccountName -StorageAccountRG $StorageAccountRG -SubscriptionId $SubscriptionId -ShareName $ShareName -DomainName $DomainName -IdentityServiceProvider $IdentityServiceProvider -AzureCloudEnvironment $AzureCloudEnvironment -CustomOuPath $CustomOuPath -OUName $OUName -AdminUserName $AdminUserName -AdminUserPassword $AdminUserPassword -ClientId $ClientId -SecurityPrincipalName $SecurityPrincipalName -StoragePurpose $StoragePurpose -StorageAccountFqdn $StorageAccountFqdn -Verbose;
diff --git a/workload/scripts/DSCStorageScripts/script-domainjoinstorage.ps1 b/workload/scripts/DSCStorageScripts/script-domainjoinstorage.ps1
@@ -63,12 +63,13 @@ $ErrorActionPreference = "Stop"
 
 . (Join-Path $ScriptPath "Logger.ps1")
 
-Write-Log "Forcing group policy updates"
-gpupdate /force
-
-Write-Log "Waiting for domain policies to be applied (1 minute)"
-Start-Sleep -Seconds 60
+if ($IdentityServiceProvider -ne 'AAD') {
+	Write-Log "Forcing group policy updates"
+	gpupdate /force
 
+	Write-Log "Waiting for domain policies to be applied (1 minute)"
+	Start-Sleep -Seconds 60
+}
 
 Write-Log "Turning off Windows firewall. "
 Set-NetFirewallProfile -Profile Domain, Public, Private -Enabled False
@@ -127,7 +128,6 @@ if ($IdentityServiceProvider -eq 'ADDS') {
 	}
 }
 
-# Remove Administrators from full control
 if ($StoragePurpose -eq 'fslogix') {
 	$DriveLetter = 'Y'
 }
@@ -165,25 +165,25 @@ Catch {
 
 Try {
 	Write-Log "setting up NTFS permission for FSLogix"
+	icacls ${DriveLetter}: /inheritance:r
 	icacls ${DriveLetter}: /remove "BUILTIN\Administrators"
 	icacls ${DriveLetter}: /grant "Creator Owner:(OI)(CI)(IO)(M)"
-	icacls ${DriveLetter}: /remove "Authenticated Users"
-	icacls ${DriveLetter}: /remove "Builtin\Users"
+	icacls ${DriveLetter}: /remove "BUILTIN\Users"
 	Write-Log "ACLs set"
-	# AVD group permissions
+	#AVD group permissions
 	if ($SecurityPrincipalName -eq 'none' -or $IdentityServiceProvider -eq 'AAD') {
 		Write-Log "AD group not provided or using Microsoft Entra ID joined session hosts, ACLs for AD group not set"
 	}
 	else {
+		icacls ${DriveLetter}: /remove "Authenticated Users"
 		$Group = $DomainName + '\' + $SecurityPrincipalName
 		icacls ${DriveLetter}: /grant "${Group}:(M)"
 		Write-Log "AD group $Group ACLs set"
 	}
-
-	Write-Log "Unmounting drive"
-	# Remove-PSDrive -Name $DriveLetter -Force
-	net use ${DriveLetter} /delete
-	Write-Log "Drive unmounted"
+	# Write-Log "Unmounting drive"
+	# # Remove-PSDrive -Name $DriveLetter -Force
+	# net use ${DriveLetter} /delete
+	# Write-Log "Drive unmounted"
 }
 Catch {
 	Write-Log -Err "Error while setting up NTFS permission for FSLogix"

diff --git a/workload/scripts/Manual-DSC-Storage-Scripts.ps1 b/workload/scripts/Manual-DSC-Storage-Scripts.ps1
@@ -49,11 +49,11 @@ param (
 
         [Parameter(Mandatory = $true)]
         [ValidateNotNullOrEmpty()]
-        [string] $DomainAdminUserName,
+        [string] $AdminUserName,
 
         [Parameter(Mandatory = $true)]
         [ValidateNotNullOrEmpty()]
-        [string] $DomainAdminUserPassword,
+        [string] $AdminUserPassword,
 
         [Parameter(Mandatory = $true)]
         [ValidateNotNullOrEmpty()]
@@ -65,7 +65,13 @@ param (
 )
 
 Write-Host "Add domain join account as local administrator"
-Add-LocalGroupMember -Group "Administrators" -Member $DomainAdminUserName
+if ($IdentityServiceProvider -ne 'AAD') {
+        Add-LocalGroupMember -Group "Administrators" -Member $AdminUserName
+        Write-Host "Domain join account added to local administrators group"
+}
+else {
+        Write-Host "Using AAD, no domain join account to add to local administrators group"
+}
 
 Write-Host "Downloading the DSCStorageScripts.zip from $DscPath"
 $DscArhive = "DSCStorageScripts.zip"
@@ -107,9 +113,10 @@ function Set-EscapeCharacters {
         $string = $string -replace '\$', '`$'
         $string
 }
-$DomainAdminUserPasswordEscaped = Set-EscapeCharacters $DomainAdminUserPassword
+$AdminUserPasswordEscaped = Set-EscapeCharacters $AdminUserPassword
+
 
-$DscCompileCommand = "./Configuration.ps1 -StorageAccountName """ + $StorageAccountName + """ -StorageAccountRG """ + $StorageAccountRG + """ -StoragePurpose """ + $StoragePurpose + """ -StorageAccountFqdn """ + $StorageAccountFqdn + """ -ShareName """ + $ShareName + """ -SubscriptionId """ + $SubscriptionId + """ -ClientId """ + $ClientId + """ -SecurityPrincipalName """ + $SecurityPrincipalName + """ -DomainName """ + $DomainName + """ -IdentityServiceProvider """ + $IdentityServiceProvider + """ -AzureCloudEnvironment """ + $AzureCloudEnvironment + """ -CustomOuPath " + $CustomOuPath + " -OUName """ + $OUName + """ -DomainAdminUserName """ + $DomainAdminUserName + """ -DomainAdminUserPassword """ + $DomainAdminUserPasswordEscaped + """ -Verbose"
+$DscCompileCommand = "./Configuration.ps1 -StorageAccountName """ + $StorageAccountName + """ -StorageAccountRG """ + $StorageAccountRG + """ -StoragePurpose """ + $StoragePurpose + """ -StorageAccountFqdn """ + $StorageAccountFqdn + """ -ShareName """ + $ShareName + """ -SubscriptionId """ + $SubscriptionId + """ -ClientId """ + $ClientId + """ -SecurityPrincipalName """ + $SecurityPrincipalName + """ -DomainName """ + $DomainName + """ -IdentityServiceProvider """ + $IdentityServiceProvider + """ -AzureCloudEnvironment """ + $AzureCloudEnvironment + """ -CustomOuPath " + $CustomOuPath + " -OUName """ + $OUName + """ -AdminUserName """ + $AdminUserName + """ -AdminUserPassword """ + $AdminUserPasswordEscaped + """ -Verbose"
 
 Write-Host "Executing the commmand $DscCompileCommand" 
 Invoke-Expression -Command $DscCompileCommand