Azure Files + Azure AD DS

Question

Hey MS Community,

We have 150 employees all using Windows 10 PRO. All devices are Azure AD joined and at Windows login screen they use their M365 username and password. All machines are also managed by Intune. There are NO servers and have never been a domain.

We want to deploy file services and move away from SharePoint. Has anyone successfully implement Azure Files using the M365 Azure AD login for remote Windows 10 devices? We can't get storage container to mount. Microsoft support says it is not possible and that they only support DOMAIN JOINED devices, but then Microsoft documentation says it does support Azure AD DS authentication. I have a consultant saying they are able to get this to work but we can't.

Does anyone here know for sure, can we have this setup and it works?

• Windows 10 PRO with port 445 enabled
• Azure AD DS services running
• Azure Files storage account setup to use Azure AD DS authentication

That is exactly how we have it setup now, but we can only connect using a storage key, authentication against Azure AD DS fails.

Answer 1

I think the above contains all of the required information but not necessarily in a succinct or clear answer. Also, the documentation is somewhat light on this particular scenario with only a sentence or two among all of the rest.

The key element from the original question is:

'All devices are Azure AD joined'

This is Azure AD joining of a machine is different from a 'domain joined' machine using AD (either on-premises AD (AD DS) or Azure AD DS - Which are really managed AD domain controllers as a service)

Also remember there are three elements in this that have a requirement for authentication services:

1. The Azure Files Service - Needs to use Directory services (AD DS or Azure AD DS)
2. The User - Authenticating against either AAD (Synched) or Directory Services
3. The client from which the user is accessing Azure files **This is the important bit in this question*

The supported scenarios are (from https://learn.microsoft.com/en-us/azure/storage/files/storage-files-active-directory-overview#supported-scenarios)

Azure AD DS authentication:

• Azure AD DS-joined Windows machines can access Azure file shares with Azure AD credentials over SMB.

On-premises AD DS authentication:

• On-premises AD DS-joined or Azure AD DS-joined Windows machines can access Azure file shares with on-premises Active Directory credentials that are synched to Azure AD over SMB. Your client must have line of sight to your AD DS.

Whilst this is not explicit in saying that Azure AD joined machines are not supported, tucked away as a single bullet point in the Restrictions section is:

• Neither Azure AD DS authentication nor on-premises AD DS authentication is supported against Azure AD-joined devices or Azure AD-registered devices.

So, putting this all together:

In order to provide identity based authentication for SMB:

1. Azure Files requires directory services (Either AD DS or Azure AD DS)
2. The User account must exist in both Azure AD and the AD DS as a hybrid user. If using AD DS then AD Connect sync needs to be in place. If using Azure AD DS then this is carried out automatically (See: AD DS and Azure AD DS in the How it works section of the docs.
3. The Client Machine Must be Domain Joined (AD DS or Azure AD DS) and not Azure AD joined - Although a hybrid joined client machine should work.

Another tidbit of information is: 'The share level permission is configured against the identity represented in Azure AD where the directory/file level permission is enforced with that in AD DS'

I think these restrictions come down to Kerberos and its Token passing (See the how it works link above). Of course, as storage account key authentication does not have any need for Kerberos interaction this will work from any client machine, providing there is sufficient network connectivity to access the share. Albeit the access is then at 'superuser' level.

Whilst I'm sure I've missed something, the above is what I have determined after spending some hours testing and detailed reading of the documentation while investigating a client requirement to access Azure files for 'remote users' where the client machines are Azure AD joined (Not Hybrid).

Hope this helps others not have to go through the same.

FYI there is a UserVoice request which pertains to this, but it doesn't have many votes: https://feedback.azure.com/forums/217298-storage/suggestions/40019824-pls-enable-authentication-support-for-azure-file

Answer 2

Thank you for the response. Where I am getting confused is Microsoft is saying you can access the file share using SMB which will authenticate against Azure AD DS. So we have a Windows 10 machine, using SMB, and we have Azure AD DS setup. However your message above is saying something about a domain joined VM. Why is a domain join VM required at all if we already have Azure AD DS?

In our scenario, with 150 users needing file access, what is the point of getting Azure Files if we still need to spin up virtual servers to make Azure Files work? Maybe what would help clarify in our situation, what is the difference between a virtual DC and FS having users connect via a VPN versus Azure Files with AD DS?

Microsoft's documentation on concepts for Azure Files:

"Since Azure Files provides either Server Message Block (SMB) or Network File System (NFS) access, you can mount Azure file shares on-premises or in the cloud using the standard SMB or NFS clients available in your OS." Should there be a disclaimer here that this requires a domain joined server?

"Azure file shares are accessible from anywhere via the storage account's public endpoint. This means that authenticated requests, such as requests authorized by a user's logon identity, can originate securely from inside or outside of Azure." Should there be a disclaimer here that this requires a domain joined server?

"Azure Files supports identity-based authentication over Server Message Block (SMB) through on-premises Active Directory Domain Services (AD DS) and Azure Active Directory Domain Services (Azure AD DS)." Why is a domain joined VM required in order to do this? We have Azure AD DS but we are being told we need a domain joined VM?

Answer 3

Did this ever get answered successfully as the proposed solutions are just Microsoft Learn that don't have any fixes, I have the same issue as the original poster and have never got or been able to map a drive with the users AAD credentials, it just fails, I can only map with the storage key which is pointless when you are trying to use NTFS permissions on the share!

Answer 4

@Not So Magical Firstly, apologies for the delay in responding here and any inconvenience this issue may have caused.

Azure Files supports identity-based authentication over Server Message Block (SMB) through two types of Domain Services: on-premises Active Directory Domain Services (AD DS) and Azure Active Directory Domain Services (Azure AD DS). We strongly recommend you to review the How it works section to select the right domain service for authentication. The setup is different depending on the domain service you choose. These series of articles focus on enabling and configuring on-premises AD DS for authentication with Azure file shares.

If you are new to Azure file shares, we recommend reading our planning guide before reading the following series of articles.

Supported scenarios and restrictions

Before you enable AD DS authentication for Azure file shares, make sure you have completed the following prerequisites

• For Azure AD DS authentication, you should enable Azure AD Domain Services and domain join the VMs you plan to access file data from. Your domain-joined VM must reside in the same virtual network (VNET) as your Azure AD DS.
• To access Azure Files resources with identity based authentication, an identity (a user, group, or service principal) must have the necessary permissions at the share level. This process is similar to specifying Windows share permissions, where you specify the type of access that a particular user has to a file share. The guidance in this section demonstrates how to assign read, write, or delete permissions for a file share to an identity.
  https://learn.microsoft.com/en-us/azure/storage/files/storage-files-identity-auth-active-directory-domain-service-enable?tabs=azure-portal#assign-access-permissions-to-an-identity

If you are still finding any issue, please let us know we would like to work closer on this issue! (If you are getting any error, please share the screenshot)

Hope this helps!

Kindly let us know if the above helps or you need further assistance on this issue.

-----------------------------------------------------------------------------------------------------------------------

Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

Answer 5

@Not So Magical Firstly, apologies for the delay in responding here and any inconvenience this issue may have caused.

Azure files supports all of the above. This is distinctly discussing Azure files not ADDS or Azure ADDS authentication for Azure files.
Azure ADDS and ADDS authentication specifically have different requirements and prerequisites.

Domain-join an on-premises machine or an Azure VM to on-premises AD DS. For information about how to domain-join, refer to Join a Computer to a Domain.

To use ADDS you need to domain join the vm - or have line of sight to the DC (to use ADDS Authentication for Azure files - you need to domain join the vm - or have line of sight to the DC. If you aren't using ADDS - you don't need to be on a domain joined VM and can map the drive with storage account/key but will be like a super user)

If your machine is not domain joined to an AD DS, you may still be able to leverage AD credentials for authentication if your machine has line of sight of the AD domain controller.

• You can enable the feature on a new or existing on-premises AD DS environment. Identities used for access must be synced to Azure AD. The Azure AD tenant and the file share that you are accessing must be associated with the same subscription.

Domain-join an on-premises machine or an Azure VM to on-premises AD DS. We strongly recommend you to review the How it works section to select the right domain service for authentication.

• If the subscription under which the file share is deployed is associated with the same Azure AD tenant as the Azure AD DS deployment to which the VM is domain-joined, you can then access Azure file shares using the same Azure AD credentials. The limitation is imposed not on the subscription but on the associated Azure AD tenant.
• Azure Files on-premises AD DS authentication only integrates with the forest of the domain service that the storage account is registered to. To support authentication from another forest, your environment must have a forest trust configured correctly. The way Azure Files register in AD DS almost the same as a regular file server, where it creates an identity (computer or service logon account) in AD DS for authentication. The only difference is that the registered SPN of the storage account ends with "file.core.windows.net" which does not match with the domain suffix. Consult your domain administrator to see if any update to your suffix routing policy is required to enable multiple forest authentication due to the different domain suffix. We provide an example below to configure suffix routing policy.

To learn how to enable Azure AD DS authentication for Azure file shares, see Enable Azure Active Directory Domain Services authentication on Azure Files.

• Azure AD DS provides managed domain services such as domain join, group policies, LDAP, and Kerberos/NTLM authentication. These services are fully compatible with Active Directory Domain Services. For more information, see Azure Active Directory Domain Services.
• When you enable AD DS for Azure file shares over SMB, your AD DS-joined machines can mount Azure file shares using your existing AD DS credentials. This capability can be enabled with an AD DS environment hosted either in on-prem machines or hosted in Azure.

To help you setup Azure Files AD authentication for some common use cases, we published two videos with step by step guidance for the following scenarios:

To use the AD credential for authentication, you need to make sure that the AD credential is synced to Azure AD, and that Azure AD is fully synced to Azure AD DS. If not, AAD DS will not be able to perform authentication against an AD credential. Please check the sync status

enable AD DS authentication for your Azure file shares

Kindly let us know if you still have more questions on this. I wish to engage with you offline for a closer look and provide a quick and specialized assistance, I will follow-up with you.

Thanks for your patience and co-operation.

Hope this helps!

Kindly let us know if the above helps or you need further assistance on this issue.

-------------------------------------------------------------------------------------------------------------------------------------------------

Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.