File Shares and Azure NetApp Files | Guided by A Guide to Cloud

Building the profile storage

Simple explanation

Think of it like setting up a locker room for your users.

In the previous module you picked the type of lockers (Azure Files or NetApp Files). Now you actually build the locker room — create the share, install the locks (authentication), and label each locker so only the right person can open it (permissions). Get this wrong, and people either cannot sign in or can peek into each other’s lockers.

Creating Azure Files shares

Standard tier (GPv2 account)

Create a General-purpose v2 storage account
Under File shares, create a new share
Set the quota (maximum size in GiB) — this controls capacity, not performance
Default tier is Transaction Optimized (best for profile workloads on Standard)

Premium tier (FileStorage account)

Create a FileStorage storage account (this account type only supports file shares)
Create a new share and set the provisioned size
Performance scales with provisioned size — a 100 GiB Premium share gives baseline IOPS of 3,100; a 1 TiB share gives 13,100 baseline IOPS

Important: You cannot convert a GPv2 account to FileStorage or vice versa. Choose the right one at creation time.

🏢 Raj at TerraStack: “We started with a 1 TiB Premium share for our first 500 users. When the second wave of 1,500 users came, we increased the provisioned size to 4 TiB. No downtime, no migration — just a slider change. That is a big advantage of Premium Azure Files.”

Authentication methods for Azure Files

FSLogix must authenticate users against the file share using Kerberos. Azure Files supports three identity sources:

Method	Requirements	Best for
On-premises AD DS	Storage account joined to your AD domain, line-of-sight to a domain controller	Hybrid environments with existing AD
Entra Domain Services	Managed domain service running in Azure	Cloud-only orgs that need traditional AD features
Entra Kerberos	Entra ID (no traditional AD needed), hybrid identities synced	Simplest setup for Entra-joined session hosts

AD DS integration steps (most common for enterprise)

Domain-join the storage account — run the AzFilesHybrid PowerShell module to create a computer object in your AD for the storage account
Assign share-level RBAC roles — give users the Storage File Data SMB Share Contributor role on the file share
Configure NTFS permissions — mount the share using a storage account key (one-time admin task), then set NTFS ACLs on the root folder
Test from a domain-joined session host — the user should be able to access the share using their AD credentials (Kerberos ticket)

Exam tip: Entra Kerberos vs AD DS

If the exam says “session hosts are Entra-joined (not hybrid-joined)” and there is no on-premises AD, the answer is Entra Kerberos for Azure Files authentication. Entra Kerberos does NOT require a domain controller or Entra Domain Services — it issues Kerberos tickets directly from Entra ID. However, the user identities must be hybrid identities synced from on-premises AD via Entra Connect, OR cloud-only identities with Entra Kerberos (preview for cloud-only at time of writing).

🏛️ JC at Federal Dept: “We are 100% on-premises AD. Entra Kerberos was not an option — our security auditor Aisha required the storage account to be domain-joined with a computer object in our controlled OU. We used the AzFilesHybrid module and it took about 20 minutes.”

Configuring permissions for FSLogix

Role	Who gets it
Storage File Data SMB Share Contributor	All AVD users who need profiles
Storage File Data SMB Share Elevated Contributor	Admins who need to set NTFS permissions
Storage File Data SMB Share Reader	Service accounts that only read (rare for FSLogix)

NTFS permissions (file system)

After assigning RBAC roles, mount the share with a storage account key and set NTFS permissions:

Folder	Principal	Permission
Root of share	Domain Users (or security group)	Modify — This folder only
Root of share	Creator/Owner	Full Control — Subfolders and files only
Root of share	SYSTEM	Full Control
User subfolder (auto-created by FSLogix)	The user	Full Control (inherited from Creator/Owner)

This structure lets users create their profile folder on first sign-in but prevents them from accessing other users’ folders.

Azure Files backup and snapshots

Azure Backup integrates directly with Azure Files — create a Recovery Services vault and configure a backup policy
Share snapshots capture a point-in-time copy of the entire share. Snapshots are incremental (only changed data is stored)
You can restore individual files from a snapshot — useful when a user’s profile gets corrupted
Premium shares support up to 200 snapshots; Standard shares support up to 200

🎧 Mia scenario (not applicable here): Profile backup is critical in healthcare. More on Mia’s story in the host pool module.

Azure NetApp Files

Azure NetApp Files is a fully managed, high-performance file storage service. It is deployed differently from Azure Files.

Core concepts

Concept	What it is
NetApp account	Top-level container (like a storage account)
Capacity pool	A pool of storage with a service level (Standard, Premium, Ultra). Minimum 1 TiB.
Volume	An SMB or NFS share inside a capacity pool. Minimum 50 GiB.

Service levels

Level	Throughput per TiB	Typical use
Standard	16 MiB/s per TiB	Light workloads, large user counts where raw capacity reduces per-TiB cost
Premium	64 MiB/s per TiB	Medium to heavy workloads
Ultra	128 MiB/s per TiB	Power users — CAD, video editing, GPU desktops

The key insight: performance scales with provisioned capacity. A 4 TiB Premium volume gets 256 MiB/s throughput. A 10 TiB Standard volume gets 160 MiB/s. Sometimes a larger Standard volume can match a smaller Premium volume at lower cost.

🏢 Raj’s NetApp decision: “Our 200-person CAD team pushes huge Revit files. Dmitri tested Azure Files Premium and we hit latency walls at 3 ms. NetApp Files Ultra at sub-1 ms solved the problem. The rest of the company stays on Azure Files Premium — no need to over-spend.”

NetApp Files networking

NetApp Files volumes are deployed into a delegated subnet in your VNet
The delegated subnet must be dedicated to NetApp Files (no VMs or other services)
Session hosts in the same VNet (or a peered VNet) access the volume via SMB directly
No need for private endpoints — NetApp Files lives inside your VNet by design

Deep dive: NetApp Files capacity planning

Microsoft recommends no more than 3,000 concurrent FSLogix profiles per regular NetApp Files volume. Beyond this, latency increases. For larger deployments, create multiple volumes and split users with FSLogix group policies that target different profile share paths. You can also use large volumes (up to 500 TiB) for higher concurrent user counts, but this is a premium feature. When sizing, remember that performance equals throughput per TiB multiplied by volume size — provision enough capacity to get the throughput you need, even if the raw storage is not all used.

Choosing between Azure Files and NetApp Files

Azure Files Standard vs Premium vs NetApp Files
Feature	Azure Files Standard	Azure Files Premium	Azure NetApp Files
Storage media	HDD	SSD	NVMe/SSD
Latency	Single-digit ms	Around 3 ms	Sub-1 ms
Max IOPS per share/volume	Up to 20,000	Up to 100,000	Up to 460,000
Minimum commitment	1 GiB	100 GiB	1 TiB pool, 50 GiB volume
Billing	Pay-as-you-go	Provisioned capacity	Provisioned capacity pool
Identity support	AD DS, Entra DS, Entra Kerberos	AD DS, Entra DS, Entra Kerberos	AD DS, Entra DS
Networking	Public, service, or private endpoint	Public, service, or private endpoint	Delegated subnet (inherently private)
Recommended users	Under 200 light	200+ or any medium/heavy	3,000+ or sub-ms latency needed
Backup	Azure Backup, share snapshots	Azure Backup, share snapshots	NetApp snapshots, NetApp backup

Decision shortcut: Start with Azure Files Premium. Only move to NetApp Files if you need sub-ms latency, more than 100,000 IOPS per share, or mixed SMB/NFS workloads.

Question

What is the minimum size of an Azure NetApp Files capacity pool?