In many organisations, there is a need to map Azure Files shares to Windows virtual machines without deploying a traditional file server or a fully-fledged Entra Domain Services (Azure AD Domain Services) environment. One efficient and secure method is to use the system-assigned managed identity on your Azure VM. This approach eliminates the need to store credentials on the VM and ensures that access to your storage account is governed through Azure RBAC roles rather than static credentials.

This guide will walk you through:

1. Assigning appropriate RBAC roles to your VM’s managed identity.
2. Creating a PowerShell script to retrieve a storage account key using the managed identity.
3. Mapping the Azure Files share to a drive letter on the VM.
4. Automating drive mapping for all users at logon through a scheduled task.

This solution is especially useful for scenarios like FSLogix profile containers utilising Cloud Cache. By setting the CCDLocations registry key in FSLogix to point to the newly mapped network drive, you can seamlessly store and retrieve user profiles on Azure Files without needing Entra Domain Services.

---

1. Assign Required RBAC Roles

Before you can programmatically retrieve your storage account keys through the system-assigned managed identity, you must grant the identity sufficient permissions to access and manage the keys and files:

1. Storage Account Key Operator Service: Allows the managed identity to retrieve the storage account keys.
2. Storage File Data SMB Share Contributor (optional but strongly recommended): Ensures the VM can read, write, and delete files/directories in the Azure file share.

Steps to Assign RBAC Roles

1. Navigate to your Storage Account in the [Azure portal].
2. Under Access control (IAM), select Add > Add role assignment.
3. Assign Storage Account Key Operator Service to the VM’s system-assigned managed identity.
4. Optionally, assign Storage File Data SMB Share Contributor for full file-level operations.

Once these roles are set, your VM’s identity can securely manage and mount the Azure Files share.

---

2. Create the PowerShell Script

Below is a PowerShell script that:

1. Authenticates using the VM’s system-assigned managed identity.
2. Retrieves the storage account key via Azure REST API calls.
3. Maps a network drive to the Azure Files share using the retrieved key.

Make sure to update the variables (such as storageAccountName, shareName, resourceGroupName, SubscriptionId, and driveLetter) to match your environment. Save the script locally on the VM (e.g., C:\MapDrive.ps1).

	##############################################################
	# System Assigned Managed Identity mapping of the storage account – no client ID required
	# Copy the script to the local C:\ drive
	##############################################################
	$storageAccountName = 'storageAccountName'
	$shareName = 'shareName'
	$driveLetter = 'Z'
	$resourceGroupName = 'resourceGroupName'
	$SubscriptionId = 'subscriptionID'
	# Authenticate using the System-assigned Managed Identity
	$token = Invoke-RestMethod -Uri 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com/' -Method GET -Headers @{Metadata='true'}
	# Construct headers with Bearer token for subsequent Azure REST API calls
	$headers = @{
	'Authorization' = "Bearer $($token.access_token)"
	'Content-Type' = 'application/json'
	}
	# Retrieve the storage account key
	$keyUri = "https://management.azure.com/subscriptions/$SubscriptionId/resourceGroups/$resourceGroupName/providers/Microsoft.Storage/storageAccounts/$storageAccountName/listKeys?api-version=2019-06-01"
	$storageKeys = Invoke-RestMethod -Uri $keyUri -Method POST -Headers $headers
	$storageAccountKey = $storageKeys.keys[0].value
	# Build the UNC path to the Azure Files share
	$uncPath = "\\$storageAccountName.file.core.windows.net\$shareName"
	# Map the network drive
	$securePassword = ConvertTo-SecureString $storageAccountKey -AsPlainText -Force
	$credential = New-Object System.Management.Automation.PSCredential("Azure\$storageAccountName", $securePassword)
	New-PSDrive -Name $driveLetter -PSProvider FileSystem -Root $uncPath -Credential $credential -Persist

view raw System Assigned Managed Identity mapping of the storage account.ps1 hosted with ❤ by GitHub

---

3. Create a Scheduled Task to Map the Drive at Logon

To ensure the drive is mapped for all users who log on to the VM, configure a scheduled task that triggers whenever a user logs on. This way, each user session automatically has the drive mapped.

Run the following PowerShell commands (adjusting file paths if needed) to register the task:

	##############################################################
	# Create the Scheduled Task
	##############################################################
	# Define the action to run PowerShell and execute your script
	$action = New-ScheduledTaskAction -Execute "PowerShell.exe" -Argument "-WindowStyle Hidden -ExecutionPolicy Bypass -File C:\MapDrive.ps1"
	# Define the trigger to start the task at user logon
	$trigger = New-ScheduledTaskTrigger -AtLogon
	# Set the task to run as a member of the BUILTIN\Users group
	$principal = New-ScheduledTaskPrincipal -GroupId "S-1-5-32-545"
	# Register the task
	Register-ScheduledTask -TaskName "MapDriveAtLogon" -Action $action -Trigger $trigger -Principal $principal -Description "Runs a script at logon for users."

view raw Scheduled Task to run as any user at logon hosted with ❤ by GitHub

Important Notes

• The -ExecutionPolicy Bypass parameter ensures the script runs without being blocked by the default PowerShell execution policy.
• The -WindowStyle Hidden parameter keeps the console minimised during script execution, providing a cleaner user experience.

---

4. (Optional) FSLogix Configuration with Cloud Cache

If you are using FSLogix to manage user profiles, you can set up Cloud Cache by adding multiple storage locations in the CCDLocations registry key. For example, point to Z:\Profiles (if your mapped drive is Z:) to store FSLogix profile data.

Registry Path:
HKLM\SOFTWARE\FSLogix\Profiles
Value: CCDLocations (REG_MULTI_SZ)
Data: Paths to each storage location, one per line (e.g., Z:\Profiles).

This allows you to leverage the robust features of FSLogix Cloud Cache while storing user profiles on Azure Files, all without needing a traditional domain controller or Entra Domain Services.

---

5. Testing and Validation

1. Run the Script Manually: From an elevated PowerShell session, run your MapDrive.ps1 script to confirm the drive is mapped successfully.
2. Verify Permissions: Attempt to create, read, and delete files on the mapped drive.
3. User Logon Test: Log off and log on as a new user (or an existing user without a prior session) to confirm the scheduled task automatically maps the drive.

---

Conclusion

Using a system-assigned managed identity on an Azure VM to map an Azure Files share is a straightforward and secure approach that avoids the need for deploying Entra Domain Services. By leveraging built-in Azure RBAC roles (like Storage Account Key Operator Service and Storage File Data SMB Share Contributor), you can ensure that your VM has appropriate access without storing or passing credentials in plain text.

Moreover, FSLogix users can benefit from this method to store user profiles on Azure Files, optionally enabling Cloud Cache for resilient and efficient profile management. With a scheduled task in place, you can be confident that all users logging in will have the drive mapped and ready to go, simplifying your file-sharing and profile-management strategies in Azure.