Access to Azure Files from both on-prem Domained and not.

Question

Hi there,

We have two offices, one in America and one in Europe, our fellow colleagues in the states want a local file share on Azure Files, meanwhile the European part don't need this.

In Europe we have a standard on-prem AD configuration, with AD Connect that syncs identities to the Entra AD instance.

I need an authentication solution that works for both, people should be able to authenticate with on-prem credentials, ie. connected to a Domain Controller locally and the people in America which have no line of sight to the Domain Controller need to authenticate somehow.

What is the best course of action?

I run multiple tests setting up the 3 Authentication Options available for Azure Files, and here are my findings:

• On-Prem AD - allows me to connect from on-prem but not the users that are not linked to the Domain Controller or have an active VPN connection to it
• Entra Domain Services - allows me to connect only if the identity is present in AADDS and the machine is joined to this Azure service domain, therefore the on-prem devices even if they could have the identity they are not going to be domained to this service.
• Kerberos for Hybrid Identities - this works well for American users, but the on-prem in Europe can't join since the machines are not Entra Joined.

What is the solution to this enigma? It's seems impossible that there isn't a solution that can fit both cases.

I don't mind having Azure VPN connections P2S, S2S etc.. but the issue here is authenticating to the actual service.

Many thanks

P

Answer 1

hi PC,

Hello! It sounds like you're looking for an authentication solution that works for both your on-premises AD configuration in Europe and your colleagues in America who don't have line of sight to the domain controller. Based on your findings, it seems that none of the three authentication options available for Azure Files meet your requirements.

However, there is a solution that can fit both cases: Azure Active Directory (Now known as Entra Domain services) Domain Services (AAD DS) with a site-to-site VPN connection between your on-premises network and Azure.

With AAD DS, you can join your Azure Files storage account to the managed domain provided by AAD DS. This allows your on-premises AD users to authenticate to Azure Files using their existing credentials, even if they are not synced to Azure AD. For your colleagues in America, you can set up a site-to-site VPN connection between your on-premises network and Azure. This will allow them to access the AAD DS-managed domain and authenticate to Azure Files using their on-premises AD credentials. To summarize, the solution to your enigma is to use Azure Active Directory Domain Services with a site-to-site VPN connection between your on-premises network and Azure. This will allow both your on-premises AD users in Europe and your colleagues in America to authenticate to Azure Files using their existing credentials. I hope this helps! Let me know if you have any further questions.

https://learn.microsoft.com/en-us/azure/storage/files/storage-files-identity-auth-domain-services-enable?tabs=azure-portal

Answer 2

Hello PC,

Thank you for posting your query here!

You could consider a hybrid setup where you use Azure Active Directory Domain Services (AADDS) for the American users and on-premises Active Directory Domain Services (AD DS) for the European users. This would allow both sets of users to authenticate using their respective domain credentials. https://learn.microsoft.com/en-us/azure/storage/files/storage-files-active-directory-overview

Please check the following steps for setting up a hybrid environment using Azure Active Directory Domain Services (AADDS) for American users and on-premises Active Directory Domain Services (AD DS) for European users:

· Set up AADDS: Provision AADDS in the Azure portal and configure the managed domain settings.

· Sync On-Premises AD DS with AADDS: Install Azure AD Connect on-premises and choose "Password Hash Synchronization" to sync AD DS with AADDS.

· Join Azure VMs to AADDS: Deploy Azure VMs for American users and join them to the AADDS domain.

· Configure Site-to-Site VPN: Establish a site-to-site VPN connection between on-premises network and Azure.

· Configure Azure Files: Join Azure Files storage account to AADDS and configure permissions for on-premises and Azure users.

Do let us know if you have any further queries. I’m happy to assist you further.

Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.