Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

FSLogix DSC package AAD logic update #527

Merged
merged 18 commits into from
Nov 6, 2023
864 changes: 435 additions & 429 deletions workload/arm/deploy-baseline.json

Large diffs are not rendered by default.

10 changes: 6 additions & 4 deletions workload/bicep/deploy-baseline.bicep
Original file line number Diff line number Diff line change
Expand Up @@ -537,7 +537,7 @@ var varZtKvName = avdUseCustomNaming ? '${ztKvPrefixCustomName}-${varComputeStor
var varZtKvPrivateEndpointName = 'pe-${varZtKvName}-vault'
//
var varFslogixSharePath = '\\\\${varFslogixStorageName}.file.${environment().suffixes.storage}\\${varFslogixFileShareName}'
var varBaseScriptUri = 'https://raw.githubusercontent.com/Azure/avdaccelerator/main/workload/'
var varBaseScriptUri = 'https://raw.githubusercontent.com/Azure/avdaccelerator/aad-fslogix/workload/'
var varSessionHostConfigurationScriptUri = '${varBaseScriptUri}scripts/Set-SessionHostConfiguration.ps1'
var varSessionHostConfigurationScript = './Set-SessionHostConfiguration.ps1'
var varDiskEncryptionKeyExpirationInEpoch = dateTimeToEpoch(dateTimeAdd(time, 'P${string(diskEncryptionKeyExpirationInDays)}D'))
Expand Down Expand Up @@ -753,7 +753,7 @@ var varMarketPlaceGalleryWindows = {
version: 'latest'
}
}
var varStorageAzureFilesDscAgentPackageLocation = 'https://github.com/Azure/avdaccelerator/raw/main/workload/scripts/DSCStorageScripts.zip'
var varStorageAzureFilesDscAgentPackageLocation = 'https://github.com/Azure/avdaccelerator/raw/aad-fslogix/workload/scripts/DSCStorageScripts.zip'
var varStorageToDomainScriptUri = '${varBaseScriptUri}scripts/Manual-DSC-Storage-Scripts.ps1'
var varStorageToDomainScript = './Manual-DSC-Storage-Scripts.ps1'
var varOuStgPath = !empty(storageOuPath) ? '"${storageOuPath}"' : '"${varDefaultStorageOuPath}"'
Expand Down Expand Up @@ -1092,12 +1092,12 @@ module wrklKeyVault '../../carml/1.3.0/Microsoft.KeyVault/vaults/deploy.bicep' =
}
{
name: 'domainJoinUserName'
value: 'AAD-Joined-Deployment-No-Domain-Credentials'
value: 'NoUsername'
contentType: 'Domain join credentials'
}
{
name: 'domainJoinUserPassword'
value: 'AAD-Joined-Deployment-No-Domain-Credentials'
value: 'NoPassword'
contentType: 'Domain join credentials'
}
]
Expand Down Expand Up @@ -1152,6 +1152,7 @@ module fslogixAzureFilesStorage './modules/storageAzureFiles/deploy.bicep' = if
name: 'Storage-FSLogix-${time}'
params: {
storagePurpose: 'fslogix'
vmLocalUserName: avdVmLocalUserName
fileShareName: varFslogixFileShareName
fileShareMultichannel: (fslogixStoragePerformance == 'Premium') ? true : false
storageSku: varFslogixStorageSku
Expand Down Expand Up @@ -1195,6 +1196,7 @@ module msixAzureFilesStorage './modules/storageAzureFiles/deploy.bicep' = if (cr
name: 'Storage-MSIX-${time}'
params: {
storagePurpose: 'msix'
vmLocalUserName: avdVmLocalUserName
fileShareName: varMsixFileShareName
fileShareMultichannel: (msixStoragePerformance == 'Premium') ? true : false
storageSku: varMsixStorageSku
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -18,13 +18,13 @@ param scriptArguments string

@secure()
@sys.description('Domain join user password.')
param domainJoinUserPassword string
param adminUserPassword string

// =========== //
// Variable declaration //
// =========== //

var varscriptArgumentsWithPassword = '${scriptArguments} -DomainAdminUserPassword ${domainJoinUserPassword} -verbose'
var varscriptArgumentsWithPassword = '${scriptArguments} -AdminUserPassword ${adminUserPassword} -verbose'

// =========== //
// Deployments //
Expand Down
8 changes: 6 additions & 2 deletions workload/bicep/modules/storageAzureFiles/deploy.bicep
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,9 @@ param wrklKvName string
@sys.description('AVD session host domain join credentials.')
param domainJoinUserName string

@sys.description('AVD session host local admin credentials.')
param vmLocalUserName string

@sys.description('Azure Files storage account SKU.')
param storageSku string

Expand Down Expand Up @@ -109,7 +112,8 @@ var varAvdFileShareMetricsDiagnostic = [
var varWrklStoragePrivateEndpointName = 'pe-${storageAccountName}-file'
var varDirectoryServiceOptions = (identityServiceProvider == 'AADDS') ? 'AADDS': (identityServiceProvider == 'AAD') ? 'AADKERB': 'None'
var varSecurityPrincipalName = !empty(securityPrincipalName)? securityPrincipalName : 'none'
var varStorageToDomainScriptArgs = '-DscPath ${dscAgentPackageLocation} -StorageAccountName ${storageAccountName} -StorageAccountRG ${storageObjectsRgName} -StoragePurpose ${storagePurpose} -DomainName ${identityDomainName} -IdentityServiceProvider ${identityServiceProvider} -AzureCloudEnvironment ${varAzureCloudName} -SubscriptionId ${workloadSubsId} -DomainAdminUserName ${domainJoinUserName} -CustomOuPath ${storageCustomOuPath} -OUName ${ouStgPath} -ShareName ${fileShareName} -ClientId ${managedIdentityClientId} -SecurityPrincipalName ${varSecurityPrincipalName} -StorageAccountFqdn ${storageAccountFqdn} '
var varAdminUserName = (identityServiceProvider == 'AAD') ? vmLocalUserName : domainJoinUserName
var varStorageToDomainScriptArgs = '-DscPath ${dscAgentPackageLocation} -StorageAccountName ${storageAccountName} -StorageAccountRG ${storageObjectsRgName} -StoragePurpose ${storagePurpose} -DomainName ${identityDomainName} -IdentityServiceProvider ${identityServiceProvider} -AzureCloudEnvironment ${varAzureCloudName} -SubscriptionId ${workloadSubsId} -AdminUserName ${varAdminUserName} -CustomOuPath ${storageCustomOuPath} -OUName ${ouStgPath} -ShareName ${fileShareName} -ClientId ${managedIdentityClientId} -SecurityPrincipalName ${varSecurityPrincipalName} -StorageAccountFqdn ${storageAccountFqdn} '
// =========== //
// Deployments //
// =========== //
Expand Down Expand Up @@ -190,7 +194,7 @@ module addShareToDomainScript './.bicep/azureFilesDomainJoin.bicep' = {
name: managementVmName
file: storageToDomainScript
scriptArguments: varStorageToDomainScriptArgs
domainJoinUserPassword: avdWrklKeyVaultget.getSecret('domainJoinUserPassword')
adminUserPassword: (identityServiceProvider == 'AAD') ? avdWrklKeyVaultget.getSecret('vmLocalUserPassword') : avdWrklKeyVaultget.getSecret('domainJoinUserPassword')
baseScriptUri: storageToDomainScriptUri
}
dependsOn: [
Expand Down
Binary file modified workload/scripts/DSCStorageScripts.zip
Binary file not shown.
Binary file added workload/scripts/DSCStorageScripts.zip.working
Binary file not shown.
18 changes: 10 additions & 8 deletions workload/scripts/DSCStorageScripts/Configuration.ps1
Original file line number Diff line number Diff line change
Expand Up @@ -58,15 +58,15 @@

[Parameter(Mandatory = $true)]
[ValidateNotNullOrEmpty()]
[string] $DomainAdminUserName,
[string] $AdminUserName,

[Parameter(Mandatory = $true)]
[ValidateNotNullOrEmpty()]
[string] $StorageAccountFqdn,

[Parameter(Mandatory = $true)]
[ValidateNotNullOrEmpty()]
[string] $DomainAdminUserPassword
[SecureString] $AdminUserPassword
)


Expand Down Expand Up @@ -124,21 +124,23 @@

[Parameter(Mandatory = $true)]
[ValidateNotNullOrEmpty()]
[string] $DomainAdminUserName,
[string] $AdminUserName,

[Parameter(Mandatory = $true)]
[ValidateNotNullOrEmpty()]
[string] $StorageAccountFqdn,

[Parameter(Mandatory = $true)]
[ValidateNotNullOrEmpty()]
[string] $DomainAdminUserPassword
[SecureString] $AdminUserPassword
)

# Import the module that contains the File resource.
Import-DscResource -ModuleName PsDesiredStateConfiguration
$secStringPassword = ConvertTo-SecureString $DomainAdminUserPassword -AsPlainText -Force
$DomainAdminCred = New-Object System.Management.Automation.PSCredential ($DomainAdminUserName, $secStringPassword)

$secStringPassword = ConvertTo-SecureString $AdminUserPassword -AsPlainText -Force
Dismissed Show dismissed Hide dismissed
Fixed Show fixed Hide fixed
#$AdminCred = New-Object System.Management.Automation.PSCredential ($AdminUserName, $AdminUserPassword) # $secStringPassword)
$AdminCred = New-Object System.Management.Automation.PSCredential ($AdminUserName, $secStringPassword)

$ErrorActionPreference = 'Stop'

Expand Down Expand Up @@ -201,7 +203,7 @@
}
}

PsDscRunAsCredential = $DomainAdminCred
PsDscRunAsCredential = $AdminCred
}
}
}
Expand All @@ -216,4 +218,4 @@
)
}

DomainJoinFileShare -ConfigurationData $config -StorageAccountName $StorageAccountName -StorageAccountRG $StorageAccountRG -SubscriptionId $SubscriptionId -ShareName $ShareName -DomainName $DomainName -IdentityServiceProvider $IdentityServiceProvider -AzureCloudEnvironment $AzureCloudEnvironment -CustomOuPath $CustomOuPath -OUName $OUName -DomainAdminUserName $DomainAdminUserName -DomainAdminUserPassword $DomainAdminUserPassword -ClientId $ClientId -SecurityPrincipalName $SecurityPrincipalName -StoragePurpose $StoragePurpose -StorageAccountFqdn $StorageAccountFqdn -Verbose;
DomainJoinFileShare -ConfigurationData $config -StorageAccountName $StorageAccountName -StorageAccountRG $StorageAccountRG -SubscriptionId $SubscriptionId -ShareName $ShareName -DomainName $DomainName -IdentityServiceProvider $IdentityServiceProvider -AzureCloudEnvironment $AzureCloudEnvironment -CustomOuPath $CustomOuPath -OUName $OUName -AdminUserName $AdminUserName -AdminUserPassword $AdminUserPassword -ClientId $ClientId -SecurityPrincipalName $SecurityPrincipalName -StoragePurpose $StoragePurpose -StorageAccountFqdn $StorageAccountFqdn -Verbose;
30 changes: 14 additions & 16 deletions workload/scripts/DSCStorageScripts/script-domainjoinstorage.ps1
Original file line number Diff line number Diff line change
Expand Up @@ -63,12 +63,13 @@ $ErrorActionPreference = "Stop"

. (Join-Path $ScriptPath "Logger.ps1")

Write-Log "Forcing group policy updates"
gpupdate /force

Write-Log "Waiting for domain policies to be applied (1 minute)"
Start-Sleep -Seconds 60
if ($IdentityServiceProvider -ne 'AAD') {
Write-Log "Forcing group policy updates"
gpupdate /force

Write-Log "Waiting for domain policies to be applied (1 minute)"
Start-Sleep -Seconds 60
}

Write-Log "Turning off Windows firewall. "
Set-NetFirewallProfile -Profile Domain, Public, Private -Enabled False
Expand Down Expand Up @@ -127,7 +128,6 @@ if ($IdentityServiceProvider -eq 'ADDS') {
}
}

# Remove Administrators from full control
if ($StoragePurpose -eq 'fslogix') {
$DriveLetter = 'Y'
}
Expand Down Expand Up @@ -162,28 +162,26 @@ Catch {
Write-Log -Err $_.Exception.Message
Throw $_
}

Try {
Write-Log "setting up NTFS permission for FSLogix"
icacls ${DriveLetter}: /inheritance:r
icacls ${DriveLetter}: /remove "BUILTIN\Administrators"
icacls ${DriveLetter}: /grant "Creator Owner:(OI)(CI)(IO)(M)"
icacls ${DriveLetter}: /remove "Authenticated Users"
icacls ${DriveLetter}: /remove "Builtin\Users"
icacls ${DriveLetter}: /remove "BUILTIN\Users"
Write-Log "ACLs set"
# AVD group permissions
#AVD group permissions
if ($SecurityPrincipalName -eq 'none' -or $IdentityServiceProvider -eq 'AAD') {
Write-Log "AD group not provided or using Microsoft Entra ID joined session hosts, ACLs for AD group not set"
}
else {
icacls ${DriveLetter}: /remove "Authenticated Users"
$Group = $DomainName + '\' + $SecurityPrincipalName
icacls ${DriveLetter}: /grant "${Group}:(M)"
Write-Log "AD group $Group ACLs set"
}

Write-Log "Unmounting drive"
# Remove-PSDrive -Name $DriveLetter -Force
net use ${DriveLetter} /delete
Write-Log "Drive unmounted"
# Write-Log "Unmounting drive"
# # Remove-PSDrive -Name $DriveLetter -Force
# net use ${DriveLetter} /delete
# Write-Log "Drive unmounted"
}
Catch {
Write-Log -Err "Error while setting up NTFS permission for FSLogix"
Expand Down
17 changes: 12 additions & 5 deletions workload/scripts/Manual-DSC-Storage-Scripts.ps1
Original file line number Diff line number Diff line change
Expand Up @@ -49,11 +49,11 @@ param (

[Parameter(Mandatory = $true)]
[ValidateNotNullOrEmpty()]
[string] $DomainAdminUserName,
[string] $AdminUserName,

[Parameter(Mandatory = $true)]
[ValidateNotNullOrEmpty()]
[string] $DomainAdminUserPassword,
[SecureString] $AdminUserPassword,

[Parameter(Mandatory = $true)]
[ValidateNotNullOrEmpty()]
Expand All @@ -65,7 +65,13 @@ param (
)

Write-Host "Add domain join account as local administrator"
Add-LocalGroupMember -Group "Administrators" -Member $DomainAdminUserName
if ($IdentityServiceProvider -ne 'AAD') {
Add-LocalGroupMember -Group "Administrators" -Member $AdminUserName
Write-Host "Domain join account added to local administrators group"
}
else {
Write-Host "Using AAD, no domain join account to add to local administrators group"
}

Write-Host "Downloading the DSCStorageScripts.zip from $DscPath"
$DscArhive = "DSCStorageScripts.zip"
Expand Down Expand Up @@ -107,9 +113,10 @@ function Set-EscapeCharacters {
$string = $string -replace '\$', '`$'
$string
}
$DomainAdminUserPasswordEscaped = Set-EscapeCharacters $DomainAdminUserPassword
$AdminUserPasswordEscaped = Set-EscapeCharacters $AdminUserPassword


$DscCompileCommand = "./Configuration.ps1 -StorageAccountName """ + $StorageAccountName + """ -StorageAccountRG """ + $StorageAccountRG + """ -StoragePurpose """ + $StoragePurpose + """ -StorageAccountFqdn """ + $StorageAccountFqdn + """ -ShareName """ + $ShareName + """ -SubscriptionId """ + $SubscriptionId + """ -ClientId """ + $ClientId + """ -SecurityPrincipalName """ + $SecurityPrincipalName + """ -DomainName """ + $DomainName + """ -IdentityServiceProvider """ + $IdentityServiceProvider + """ -AzureCloudEnvironment """ + $AzureCloudEnvironment + """ -CustomOuPath " + $CustomOuPath + " -OUName """ + $OUName + """ -DomainAdminUserName """ + $DomainAdminUserName + """ -DomainAdminUserPassword """ + $DomainAdminUserPasswordEscaped + """ -Verbose"
$DscCompileCommand = "./Configuration.ps1 -StorageAccountName """ + $StorageAccountName + """ -StorageAccountRG """ + $StorageAccountRG + """ -StoragePurpose """ + $StoragePurpose + """ -StorageAccountFqdn """ + $StorageAccountFqdn + """ -ShareName """ + $ShareName + """ -SubscriptionId """ + $SubscriptionId + """ -ClientId """ + $ClientId + """ -SecurityPrincipalName """ + $SecurityPrincipalName + """ -DomainName """ + $DomainName + """ -IdentityServiceProvider """ + $IdentityServiceProvider + """ -AzureCloudEnvironment """ + $AzureCloudEnvironment + """ -CustomOuPath " + $CustomOuPath + " -OUName """ + $OUName + """ -AdminUserName """ + $AdminUserName + """ -AdminUserPassword """ + $AdminUserPasswordEscaped + """ -Verbose"

Write-Host "Executing the commmand $DscCompileCommand"
Invoke-Expression -Command $DscCompileCommand
Expand Down
Loading