Azure Virtual Desktop | FSLogix App Masking with Entra Joined Devices IV
In the previous posts we have created an Azure Function and FSLogix App Masking rules. Also we have placed the files on Azure Blob Storage.
The Function app has run and placed the files in Azure Storage Blob container. The FSLogix files uploaded we by ourself.
For this demo is use the SASToken to get the files from the blob containers. You can use also other methods to get all the files.
Groups
We need to create the local groups where the users in needs to be located.
# setting variables
$sasToken =
$folder =
$downloadUrl = $folder + $sasToken
Define the variables of files to download.
# get AZ Copy
if (Get-Childitem -path "C:\temp\azcopy.exe" -ErrorAction SilentlyContinue) {
#do skip
}
else {
New-Item -Type Directory -Path "C:\temp" -Name Temp
Start-BitsTransfer -Source 'https://aka.ms/downloadazcopy-v10-windows' -Destination "C:\temp\Temp\azcopy.zip"
Expand-Archive "C:\temp\Temp\azcopy.zip" "C:\temp\Temp"
copy-item "C:\temp\Temp\azcopy_windows_amd64_*\azcopy.exe" -Destination "C:\temp"
}
C:\temp\azcopy.exe copy $downloadUrl C:\temp --recursive
Get AZCopy and download the Folder with CSV’s
# get all the csv files for a forEach loop
$path = "C:\temp\fslogixappmaskingassingments"
$files = Get-ChildItem -path $path | Where-Object { $_.name -like "*.csv" }
Get all CSV files
ForEach ($file in $files) {
$name = $file.name.split(".")[0]
If (Get-LocalGroup -name $name -ErrorAction SilentlyContinue) {
Write-Host "Group $($name) is found"
# get members
$members = Get-LocalGroupMember -Group $name
Write-Host "Members in group $($name) are retrieved"
# do remove local group members
Remove-LocalGroupMember -Group $name -Member $members
Write-Host "Members in group $($name) are deleted"
# continue (new add to groupos)
$users = $null
$users = Import-CSV "$($path)\$($file.name)"
ForEach ($user in $users) {
try {
net localgroup $name /add "AzureAD\$($User.UserprincipalName)"
Write-Host "User $($User.userPrincipalName) is added to group $($name)"
}
Catch {
$oeps = $_
Write-Host "User $($User.userPrincipalName) cannot be added to group $($name): $($oeps.Exception.Message)"
}
}
}
else {
try {
New-LocalGroup -Name $name -ErrorAction SilentlyContinue
Write-Host "Group $($name) is created"
}
catch {
$oeps = $_
Write-Host "Group $($name) cannot be created: $($oeps.Exception.Message)"
#continue
}
# continue (new add to groupos)
$users = $null
$users = Import-CSV "$($path)\$($file.name)"
try {
net localgroup $name /add "AzureAD\$($User.UserprincipalName)"
Write-Host "User $($User.userPrincipalName) is added to group $($name)"
}
Catch {
$oeps = $_
Write-Host "User $($User.userPrincipalName) cannot be added to group $($name): $($oeps.Exception.Message)"
}
}
}
In a forEach loop we run through the files and get the app-group name based on the filename. If the group exists, users in the group will be deleted and re-added. If the group does not exists, it will be created and users will be added.
AppMasking rules
The app masking rules must be downloaded and located at the correct location.
# setting variables
$sasToken =
$folder =
$downloadUrl = $folder + $sasToken
$FSLogixFolder = "C:\Program Files\FSLogix\Apps\Rules"
Define the variables of files to download.
# get AZ Copy
if (Get-Childitem -path "C:\temp\azcopy.exe" -ErrorAction SilentlyContinue) {
#do skip
}
else {
New-Item -Type Directory -Path "C:\temp" -Name Temp
Start-BitsTransfer -Source 'https://aka.ms/downloadazcopy-v10-windows' -Destination "C:\temp\Temp\azcopy.zip"
Expand-Archive "C:\temp\Temp\azcopy.zip" "C:\temp\Temp"
copy-item "C:\temp\Temp\azcopy_windows_amd64_*\azcopy.exe" -Destination "C:\temp"
}
C:\temp\azcopy.exe copy $downloadUrl C:\temp --recursive
Get all the assignment and rule files.
## copy items van fslogixassignments
$items = Get-ChildItem -Path "C:\temp\fslogixappmaskingrules"
ForEach ($item in $items) {
try {
Copy-item -Path $Item.fullname -Destination $FSLogixFolder
Log-message -file $logfile -Message "$($item.name) is copied to $FSLogixFolder"
}
catch {
$copyError = $_
Log-message -file $logfile -Message "$($item.name) cannot be copied to $FSLogixFolder : $($copyError.exception.message)"
}
}
Results
So user Adriaan@huurdebox.be is NOT a member of app_group2. This means the user will not have the Edge icon on his desktop.
Conclusion
FSLogix App Masking can be used on Entra Joined only devices like Azure Virtual Desktop. In the demo it is all scripting, but of course you can automate this also with an Intune App which will create a Scheduled Task that runs a script for adding and removing the users from the groups.
#enjoy