Storage Planning for User Data
Plan the right storage backend for FSLogix profile containers — Azure Files, Azure NetApp Files, or page blobs — balancing cost, performance, and compliance.
Why storage matters for AVD
Think of every user’s desktop as a hotel room.
When a guest checks in, the hotel needs to unpack their suitcase into the wardrobe. When they check out, everything goes back into the suitcase. The wardrobe is the session host VM. The suitcase is the FSLogix profile container (a VHD file on a file share). The speed of unpacking depends on how fast the storage behind that file share is. Slow storage means users stare at a spinning cursor every time they sign in.
Storage options at a glance
Azure gives you four places to store FSLogix profile containers:
| Option | Protocol | Best for | Minimum unit |
|---|---|---|---|
| Azure Files | SMB 3.x | Most AVD deployments | 1 GiB share |
| Azure NetApp Files | SMB 3.x or NFS | Enterprise scale, low-latency needs | 1 TiB capacity pool, 50 GiB volume |
| Azure page blobs | REST (Cloud Cache) | Multi-region active/active profiles | Per-blob |
| Azure Managed Disks | Direct attach | Personal desktops only (1-to-1 mapping) | Per-disk |
🏢 Raj at TerraStack: “We have 8,000 users migrating from Citrix. Azure Files Premium is our default. But the 200-person CAD team needs Azure NetApp Files because their profile containers hit 30 GB each with crazy IOPS at sign-in.”
FSLogix storage requirements
FSLogix needs an SMB file share with two layers of permissions:
- Share-level permissions — who can connect to the share (configured via Azure RBAC roles for Azure Files, or share permissions for NetApp Files)
- NTFS permissions — who can read or write inside the share (set on the file system itself)
The recommended NTFS structure gives each user a personal folder that only they can access:
| Path | NTFS permission |
|---|---|
| Root of the share | Authenticated Users: Modify (this folder only) |
| User subfolder (auto-created) | Owner: Full Control; SYSTEM: Full Control |
This means users can create their own profile folder but cannot see anyone else’s folder contents.
Exam tip: Two permission layers
The exam loves to test the difference between share-level and NTFS permissions. A common wrong answer is to grant Full Control at the share level. The recommended approach is to use the Storage File Data SMB Share Contributor RBAC role for share-level access (in Azure Files), and then configure NTFS permissions on the root folder. Never grant users Full Control at the share level — that bypasses NTFS protections.
Storage account types
Azure Storage accounts come in two flavours relevant to AVD:
| Account type | Backed by | Performance | Billing model |
|---|---|---|---|
| General-purpose v2 (GPv2) | HDD (Standard tier) | Good for light workloads, fewer than 200 users | Pay for what you use (transactions plus stored data) |
| FileStorage | SSD (Premium tier) | Required for medium to power workloads | Provisioned capacity (pay for the size you reserve) |
Key rule of thumb: If you have more than 200 light users, or any medium/heavy users, go Premium. The exam expects you to match workload type to tier.
IOPS sizing per user
Microsoft publishes guidelines for IOPS per user:
| Workload | IOPS per user (steady state) | IOPS per user (sign-in/sign-out) |
|---|---|---|
| Light | 5-10 | 50 |
| Medium | 10-20 | 50 |
| Heavy | 20-40 | 50 |
| Power | 40-60+ | 100 |
Sign-in and sign-out cause an IOPS spike because the entire profile VHD is being mounted or flushed. Size your storage for peak (sign-in storm), not just steady state.
🎧 Mia at Horizons Health: “Our 12 clinics all start shift at 7 AM. That is 400 nurses signing in within 15 minutes. We sized our Premium file share for the sign-in storm, not the quiet afternoon period — otherwise mornings were unusable.”
Storage account networking
Your storage account is only useful if your session hosts can reach it. Three options:
| Approach | How it works | Security level |
|---|---|---|
| Public endpoint | Storage is reachable over the internet (firewall rules restrict who) | Lowest — traffic leaves the VNet |
| Service endpoint | A VNet policy routes traffic to storage over the Azure backbone | Medium — no public IP exposure from VNet |
| Private endpoint | A private IP inside your VNet connects to storage | Highest — traffic never touches the internet |
For production AVD, private endpoints are the recommended approach. They pair naturally with the Private Link configuration you learned in the previous module.
Deep dive: Storage firewall traps
If you lock down your storage account firewall but forget to add a private endpoint (or service endpoint) for the session host subnet, FSLogix will fail to mount profiles at sign-in. Users will get a temporary profile instead. Check the FSLogix log at C:\ProgramData\FSLogix\Logs\Profile for error 0x00000005 (access denied) or network-related failures. This is the single most common storage troubleshooting scenario in AVD.
Azure Files vs Azure NetApp Files
| Feature | Azure Files | Azure NetApp Files |
|---|---|---|
| Protocol | SMB 3.x | SMB 3.x and NFS |
| Maximum IOPS per share/volume | Up to 100,000 (Premium) | Up to 460,000 |
| Latency | Single-digit milliseconds (Premium: around 3 ms) | Sub-millisecond (around 1 ms) |
| Maximum capacity | 100 TiB per share | 100 TiB per volume |
| Minimum commitment | 1 GiB share (Standard), 100 GiB (Premium) | 1 TiB capacity pool, 50 GiB volume |
| Billing model | Pay-as-you-go (Standard) or provisioned (Premium) | Provisioned capacity pool |
| Redundancy | LRS, ZRS, GRS, GZRS | LRS, ZRS (cross-zone replication), cross-region replication |
| Identity integration | AD DS, Entra Domain Services, Entra Kerberos | AD DS, Entra Domain Services |
| Best for | Most AVD deployments (up to thousands of users) | High-performance or very large-scale deployments |
| Backup | Azure Backup snapshots | NetApp snapshots and NetApp backup |
When to pick what
- Azure Files Standard — small pilot, fewer than 200 light users, tight budget
- Azure Files Premium — production AVD for most organisations, 200+ users
- Azure NetApp Files — enterprise scale (3,000+ users on one volume), sub-ms latency required, or mixed SMB/NFS needs
- Page blobs with Cloud Cache — multi-region active/active profiles where you need writes to land in two regions simultaneously
TerraStack Industries has 2,000 medium-workload users. Raj wants the lowest-cost Azure-native storage that meets performance requirements. Which storage solution should he choose?
Mia needs to lock down her storage account so FSLogix traffic stays within the Azure backbone. She does not want any public internet exposure. Which networking approach should she use?
Which RBAC role should you assign to AVD users at the Azure Files share level for FSLogix profile containers?
Exam tip: Page blobs and Cloud Cache
The exam occasionally tests Cloud Cache. FSLogix Cloud Cache writes profile data to a local cache first, then asynchronously replicates to one or more remote locations (Azure page blobs, SMB shares, or both). It is the only way to get active/active multi-region profiles. The tradeoff: it requires local SSD capacity on every session host and adds complexity. If the exam mentions “users must have the same profile in two Azure regions,” the answer is Cloud Cache with page blobs.
Next up: Now that you know where to store profiles, the next module walks through actually creating and configuring file shares — File Shares and Azure NetApp Files.
🎬 Video coming soon
Storage Planning for AVD