I think the above contains all of the required information but not necessarily in a succinct or clear answer. Also, the documentation is somewhat light on this particular scenario with only a sentence or two among all of the rest.
The key element from the original question is:
'All devices are Azure AD joined'
This is Azure AD joining of a machine is different from a 'domain joined' machine using AD (either on-premises AD (AD DS) or Azure AD DS - Which are really managed AD domain controllers as a service)
Also remember there are three elements in this that have a requirement for authentication services:
- The Azure Files Service - Needs to use Directory services (AD DS or Azure AD DS)
- The User - Authenticating against either AAD (Synched) or Directory Services
- The client from which the user is accessing Azure files **This is the important bit in this question*
The supported scenarios are (from https://learn.microsoft.com/en-us/azure/storage/files/storage-files-active-directory-overview#supported-scenarios)
Azure AD DS authentication:
- Azure AD DS-joined Windows machines can access Azure file shares with Azure AD credentials over SMB.
On-premises AD DS authentication:
- On-premises AD DS-joined or Azure AD DS-joined Windows machines can access Azure file shares with on-premises Active Directory credentials that are synched to Azure AD over SMB. Your client must have line of sight to your AD DS.
Whilst this is not explicit in saying that Azure AD joined machines are not supported, tucked away as a single bullet point in the Restrictions section is:
- Neither Azure AD DS authentication nor on-premises AD DS authentication is supported against Azure AD-joined devices or Azure AD-registered devices.
So, putting this all together:
In order to provide identity based authentication for SMB:
- Azure Files requires directory services (Either AD DS or Azure AD DS)
- The User account must exist in both Azure AD and the AD DS as a hybrid user. If using AD DS then AD Connect sync needs to be in place. If using Azure AD DS then this is carried out automatically (See: AD DS and Azure AD DS in the How it works section of the docs.
- The Client Machine Must be Domain Joined (AD DS or Azure AD DS) and not Azure AD joined - Although a hybrid joined client machine should work.
Another tidbit of information is: 'The share level permission is configured against the identity represented in Azure AD where the directory/file level permission is enforced with that in AD DS'
I think these restrictions come down to Kerberos and its Token passing (See the how it works link above). Of course, as storage account key authentication does not have any need for Kerberos interaction this will work from any client machine, providing there is sufficient network connectivity to access the share. Albeit the access is then at 'superuser' level.
Whilst I'm sure I've missed something, the above is what I have determined after spending some hours testing and detailed reading of the documentation while investigating a client requirement to access Azure files for 'remote users' where the client machines are Azure AD joined (Not Hybrid).
Hope this helps others not have to go through the same.
FYI there is a UserVoice request which pertains to this, but it doesn't have many votes: https://feedback.azure.com/forums/217298-storage/suggestions/40019824-pls-enable-authentication-support-for-azure-file