File share in Azure for Azure AD (ONLY!) joined PCs

Michał Gębala 31 Reputation points
2022-06-10T07:26:48.117+00:00

Is there any solution available in Azure (Storage account, VM, dedicated resource, 3rd party appliance) that will allow me to map a share on ONLY! Azure AD joined PC and will let me configure file/folder level permissions based on Azure AD accounts/groups?

Azure Files
Azure Files
An Azure service that offers file shares in the cloud.
1,305 questions
Azure Storage Accounts
Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
3,235 questions
Azure Disk Storage
Azure Disk Storage
A high-performance, durable block storage designed to be used with Azure Virtual Machines and Azure VMware Solution.
647 questions
0 comments No comments
{count} votes

6 answers

Sort by: Most helpful
  1. Juan Sanchez 20 Reputation points
    2023-07-24T06:03:17.0533333+00:00

    This is hard to believe that Azure Files still doesn't work with Azure AD Only Identities. I honestly think the Devs dropped the ball here.

    4 people found this answer helpful.
    0 comments No comments

  2. Tom Wardrop 26 Reputation points
    2023-08-29T06:39:25.6033333+00:00

    Just signed in to say the same. Was hoping my Azure AD joined devices (laptops and remote workstations) could authenticate with an Azure file share. Surprising that not only are Azure AD joined devices not supported, but Azure AD users aren't either, unless they're synced via on-premises.

    Microsoft really seems to be all over the shop here. On one hand they have these cloud-only features and services like Windows 11 multi-session, which can't be run on-premises, essentially handicapping any organisation trying to run an on-premises remote desktop server, but then those who are all-in on Azure then run into issues like Azure Files not being available. Microsoft doesn't seem to offer a single comprehensive solution. If I'm setting up a brand new domain/tenancy, how exactly does Microsoft suggest I operate, because it seems no matter what you do you're going to be missing out on functionality?

    4 people found this answer helpful.
    0 comments No comments

  3. Michal Gebala 5 Reputation points
    2023-10-09T16:08:05.9+00:00

    Any update on this topic I really miss the option to map file share to Azure AD joined device (no hybrid joined!) and have working file/folder level permissions same as it's now with SharePoint synced folders.

    1 person found this answer helpful.
    0 comments No comments

  4. Kyle Hardin 46 Reputation points
    2024-07-05T23:01:15.6+00:00

    It's amusing and also very Microsoft that they've engineered a cloud platform called Azure File Share that doesn't support cloud-connected, Azure-joined PCs.

    I see that there's been some discussion about adding this support and that it was coming soon two years ago, but I believe there must be a fundamental Active Directory dependency that they've build the platform around that's tied their hands more than expected.

    Unfortunately I wouldn't hold my breath for any progress on this front. I would acknowledge that Microsoft does not have a cloud-only file share solution and does not appear to be expending any energy in this direction. Your options are on-prem, Sharepoint, or something non-Microsoft.

    1 person found this answer helpful.
    0 comments No comments

  5. Sumarigo-MSFT 47,101 Reputation points Microsoft Employee
    2022-06-10T12:24:48.66+00:00

    @Michał Gębala Welcome t Microsoft Q&A Forum, Thank you for posting your query here!

    For better understanding the scenario: As I understand instead of Using AADDS or ADDS, you want to use Azure AD for the authorization right?

    If so we are working on this feature(Azure Files AAD authentication is in Private Preview), we have it in our pipeline. presently I don't have any ETA now. Get the latest updates on Azure products and features to meet your cloud investment needs. Subscribe to notifications to stay informed through Azure updates

    Currently there are only 2 ways to configure an Azure Files share:

    Active Directory Domain Services Overview | Microsoft Learn
    o Requires machines to be joined to the on premises domain. Most cases they would be Azure hybrid join.
    Overview of Azure Active Directory Domain Services | Microsoft Learn
    o Requires the machine to be joined to the Azure AD Domain Services domain.

    If a machine (either VM or physical machine) is joined to Azure AD, they would not be able to use either of these methods.

    Additional information:

    Supported scenarios and restrictions:

    • AD DS Identities used for Azure Files on-premises AD DS authentication must be synced to Azure AD or use a default share-level permission. Password hash synchronization is optional.
    • Supports Azure file shares managed by Azure File Sync.
    • Supports Kerberos authentication with AD with AES 256 encryption (recommended) and RC4-HMAC. AES 128 Kerberos encryption is not yet supported.
    • Supports single sign-on experience.
    • Only supported on clients running on OS versions newer than Windows 7 or Windows Server 2008 R2.
    • Only supported against the AD forest that the storage account is registered to. You can only access Azure file shares with the AD DS credentials from a single forest by default. If you need to access your Azure file share from a different forest, make sure that you have the proper forest trust configured, see the FAQ for details.
    • Does not support authentication against computer accounts created in AD DS.
    • Does not support authentication against Network File System (NFS) file shares.
    • When you enable AD DS for Azure file shares over SMB, your AD DS-joined machines can mount Azure file shares using your existing AD DS credentials. This capability can be enabled with an AD DS environment hosted either in on-prem machines or hosted in Azure.

    210311-image.png

    We strongly recommend you to review the How it works section to select the right domain service for authentication. The setup is different depending on the domain service you choose. These series of articles focus on enabling and configuring on-premises AD DS for authentication with Azure file shares.

    If you are new to Azure file shares, we recommend reading our planning guide before reading the following series of articles.

    Please let us know if you have any further queries. I’m happy to assist you further.

    ----------

    Please do not forget to 210246-screenshot-2021-12-10-121802.pngand “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

    1 person found this answer helpful.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.