Hello Michalaz,
Thank you for posting your query here!
As explained in the official doc, enabling AD DS authentication for your Azure file shares allows you to authenticate to your Azure file shares with your on-prem AD DS credentials. Further, it allows you to better manage your permissions to allow granular access control. Doing this requires synching identities from on-prem AD DS to Azure AD with AD connect. You control the share level access with identities synced to Azure AD while managing file/share level access with on-prem AD DS credentials.
So, you need to start with part 1 where after enabling the Active Directory Domain Services (AD DS) authentication feature, you must configure your storage account and your AD DS, to use AD DS credentials for authenticating to your Azure file share. To enable AD DS authentication over SMB for Azure file shares, you need to register your storage account with AD DS and then set the required domain properties on the storage account.
You need to run Join-AzStorageAccount cmdlet which performs the equivalent of an offline domain join on behalf of the specified storage account.
Refer : https://learn.microsoft.com/en-us/azure/storage/files/storage-files-identity-ad-ds-enable
To configure ACLs with superuser permissions, you must mount the share by using your storage account key from your domain-joined VM.
Full administrative control of a file share, including the ability to take ownership of a file, requires using the storage account key. Administrative control is not supported with Azure AD credentials.
Refer : https://learn.microsoft.com/en-us/azure/storage/files/storage-files-identity-ad-ds-configure-permissions#supported-permissions
https://learn.microsoft.com/en-us/azure/storage/files/storage-files-identity-ad-ds-assign-permissions?tabs=azure-portal
Also, as mentioned here, if you are not able to load the AD domain information correctly in Windows File Explorer, this is likely due to trust configuration in your on-prem AD environment. The client machine was not able to reach the AD domain controller registered for Azure Files authentication. In this case, use icacls for configurating Windows ACLs.
This is a known issue and is documented in the below troubleshooting doc:
https://learn.microsoft.com/en-us/azure/storage/files/storage-troubleshoot-windows-file-connection-problems?tabs=azure-portal#unable-to-configure-directoryfile-level-permissions-windows-acls-with-windows-file-explorer
The recommended solution is to use icacls tool to configure the directory/file level permissions as a workaround.
If you wish you may leave your feedback in the below forum requesting a feature. All the feedback you share in these forums will be monitored and reviewed by the Microsoft engineering teams responsible for building Azure.
https://feedback.azure.com/d365community/forum/a8bb4a47-3525-ec11-b6e6-000d3a4f0f84
Do let us know if you have any further queries. I’m happy to assist you further.
Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.