Azure File Share using Azure AD DS for Authentication without a VPN?

Question

Hi All,

I am hoping you can help me with something. Some back story, in our business we are trying to utilise a central resource of files/folders for AutoCAD tool palettes. We have migrated business data from a physical server into SharePoint and also all devices are Azure AD joined and managed by Intune MDM. We do have a on-prem Sever 2016 Active Directory DS instance that is replicating to Azure AD. Information on our environment, these are examples;

On-Prem Domain Name: business.local
Azure AD Tennant Name: businessworld.onmicrosoft.com
Azure AD DS Managed Domain: business.global

I am looking to utilise Azure File Shares via a storage account and would like to be able to authenticate access to these without the need to connect to a VPN and/or have 'line of sight' to our on-prem domain controller instance. The reason for no VPN, is because since the move to SharePoint for our business, the need for VPN has diminished significantly, and I'd rather not increase that usage again.

So far I have completed the following with Azure File Shares and Azure ADDS;

• Enabled and deployed Azure ADDS on a 'Standard' tier (business.global)
• Update the DNS settings and allowed Azure to autopopulate the DNS settings.
• Enabled password hash synchronization from our on-prem DC to Azure AD and confirmed it is synchronizing.
• Built and installed a Windows 10 22H2 Azure VM and joined this device to our Managed Domain (business.global)
• Created an Azure Storage Account, and enabled it for Azure AD DS authentication. (I checked the box "Default to Azure Active Directory authorization in the Azure portal")
• Created the File Share in the storage account and enabled it for Azure AD DS authentication.
• Setup access at share level by providing role assignments to the "Storage File Data SMB Share Elevated Contributor" role to a group and an individual.

I can confirm that from the Windows 10 Azure VM, using the storage account key I can map the drive without any issues.
I can confirm that from a Azure AD joined device (Intune MDM), using the storage account key, I can map the drive without any issues.

However, when I try and map the drive using Active Directory authentication, I get an error message about it having an incorrect network login.

To test this, I did setup an second Azure File Share and linked this directly with our on-prem AD without Azure AD DS. When connected to the VPN and authenticating directly with on-prem AD it works fine.

Hopefully this make sense :-)

Answer 1

@Jordan Lance @AY Firstly apologies for the delay response!

Hope you you have followed the perquisites ?
You can enable the feature on a new or existing on-premises AD DS environment. Identities used for access must be synced to Azure AD or use a default share-level permission. The Azure AD tenant and the file share that you are accessing must be associated with the same subscription.

There is video which explain how connect azure file share using Azure Active Directory Service

• Hope you have provided the Share level access (Access control (I AM)to the storage account and File share(Can you please cross verify)

I tried to reproduce the issue I was able to mount azure file share using Active Directory authentication.

If you experience issues in connecting to Azure Files, refer to the troubleshooting tool we published for Azure Files mounting errors on Windows.

If the issue still persist, I would like to work closer on this issue!

Please let us know if you have any further queries. I’m happy to assist you further.

---------
Please do not forget to and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.