Question

You have a Windows Virtual Desktop host pool named Pool1 and an Azure Storage account named Storage1. Storage1 stores FSLogix profile containers in a share folder named share1. You create a new group named Group1. You provide Group1 with permission to sign in to Pool1. You need to ensure that the members of Group1 can store the FSLogix profile containers in share1. The solution must use the principle of least privilege. Which two privileges should you assign to Group1 for them to store FSLogix profile containers in share1, adhering to the principle of least privilege?

A) Read access to Pool1
B) Storage Blob Data Contributor role
C) File Share - Modify NTFS permissions
D) Storage File Data SMB Share Contributor role

Answer 1

Members of Group1 should be assigned Read access to Pool1 for general sign-in permissions to the WVD host pool and the Storage File Data SMB Share Contributor role to manage FSLogix profile containers over SMB in the Azure file share with least privilege.

To ensure that the members of Group1 can store the FSLogix profile containers in the share1 folder within the Azure Storage account (Storage1) while adhering to the principle of least privilege, you should assign the following two privileges:

• Read access to Pool1: While this access does not directly relate to the storage on Azure, it is generally necessary for users to sign in to the Windows Virtual Desktop (WVD) host pool where the FSLogix profiles are being used.
• Storage File Data SMB Share Contributor role: This role allows the users to create and manage files and directories in an Azure file share over SMB (Server Message Block), which is required for storing and handling FSLogix profile containers through a network share.

The Storage Blob Data Contributor role is not suitable in this case because it is used for blobs in blob storage, not file shares. Similarly, the File Share - Modify NTFS permissions is too broad as it implies control over the NTFS file system permissions which is unrelated to Azure file share permissions.