Can I use azure files and still manage access in a directory and file level without local on premise managed domain (just Entra ID for cloud users only)?

Question

Hi , I only have entra ID for cloud users.I want to user Azure Files as a File server.

is there a way to config access by the Entra ID users and config directory and files permissions by Entra ID user without on premises domain?

Answer 1

Hello Barak Peley

Yes, you can configure Azure Files to use Azure AD (now known as Microsoft Entra ID) for identity-based access control without needing an on-premises domain. This allows you to manage permissions for Azure Files using Entra ID users. Below are the steps to achieve this:

Step-by-Step Guide to Configure Azure Files with Entra ID Authentication

Create an Azure Storage Account:

• In the Azure portal, navigate to "Storage accounts".
  • Click on "+ Create" to create a new storage account.
    • Fill in the necessary details and ensure the account kind is set to "StorageV2 (general-purpose v2)".
      • Once created, navigate to the storage account.
      Enable Azure AD Authentication for Azure Files:

      - Go to the "Configuration" tab in the storage account.
      
         - Set "Azure Active Directory Domain Services" (Azure AD DS) to "Enabled".
      
            - Save the changes.
      
            **Assign Azure RBAC Roles for Azure Files:**
      
               - Go to the "Access control (IAM)" tab in the storage account.
      
                  - Click on "+ Add role assignment".
      
                     - Select the appropriate role for the users who need access to Azure Files, such as "Storage File Data SMB Share Contributor" or "Storage File Data SMB Share Reader".
      
                        - Assign the role to the Entra ID users or groups who need access.
      
                        **Create and Configure File Shares:**
      
                           - Go to the "File shares" tab in the storage account.
      
                              - Click on "+ File share" to create a new file share.
      
                                 - After creating the file share, you can set directory and file-level permissions using Azure Files ACLs.
      
                                 **Connect to Azure Files from a Client:**
      
                                    - On the client machine (e.g., a Windows PC), ensure you are signed in with an Entra ID account that has been granted access.
      
                                       - Map the Azure File Share using the following steps:
      
                                             - Open File Explorer and click on "This PC".
      
                                                   - Click on "Map network drive".
      
                                                         - Choose a drive letter and enter the file share path (e.g., **`\\<storage-account-name>.file.core.windows.net\<file-share-name>`**).
      
                                                               - Check "Connect using different credentials".
      
                                                                     - Use your Entra ID credentials to connect.
      
                                                                     **Set Directory and File Permissions:**
      
                                                                        Use the Azure portal or Azure PowerShell to set ACLs (Access Control Lists) on directories and files within the file share.
      
                                                                           You can use Azure PowerShell to set fine-grained permissions:
      
                                                                           ```powershell
                                                                           powershellCopy code
                                                                           # Install the Azure PowerShell module if not already installed
      

Install-Module -Name Az -AllowClobber -Scope CurrentUser Import-Module Az

Connect to Azure

Connect-AzAccount

Get the storage account context

$storageAccount = Get-AzStorageAccount -ResourceGroupName "<your-resource-group>" -Name "<your-storage-account>" $ctx = $storageAccount.Context

Set ACL for a directory

$acl = New-AzStorageFileSmbShareAclObject $acl.Permissions = "rwx" # Replace with desired permissions $acl.PrincipalId = "<user-object-id>" # Object ID of the Entra ID user or group $acl.Path = "<directory-path>"

Set-AzStorageFileSmbShareAcl -Context $ctx -ShareName "<file-share-name>" -AclObject $acl ```

Important Considerations

• Entra ID Roles vs. ACLs: Azure RBAC roles are used to grant access to the entire file share, while ACLs allow you to set permissions on specific directories and files.
• Supported Clients: Ensure that the client operating system supports Azure AD authentication for Azure Files (Windows 10 version 1809 or later, Windows Server 2019 or later).
• Performance: Azure Files performance can vary based on the storage account and file share configuration. Consider using Premium tier for better performance if needed.

Troubleshooting

• Permissions Issues: Ensure that the Entra ID users have been correctly assigned the necessary RBAC roles and that ACLs are correctly configured.
• Authentication Errors: Verify that the client machine is correctly joined to Entra ID and that the user is signed in with the correct credentials.

By following these steps, you can configure Azure Files to serve as a file server with permissions managed through Microsoft Entra ID, enabling you to control access without the need for an on-premises domain.

Answer 2

Hello Barak Peley,

Thanks for your question.

Yes, natively if you leverage Entra Domain Services.

Azure Files supports identity-based authentication for Windows file shares over Server Message Block (SMB) using the Kerberos authentication protocol through the following methods:

On-premises Active Directory Domain Services (AD DS)

Microsoft Entra Domain Services

Microsoft Entra Kerberos for hybrid user identities

This is documented here: https://learn.microsoft.com/en-us/azure/storage/files/storage-files-identity-auth-domain-services-enable?tabs=azure-portal

Please let me know if you have further questions**

You can mark it 'Accept Answer' if this helped.

Answer 3

Hello Barak Peley,

Thank you for posting your query here!

You can access Azure Files using a domain identity even if the machine you are accessing from is not domain joined. Azure Files supports authentication from non-domain joined devices if the client has line-of-sight to the domain controller and the user types in their AD domain credentials. Note that for non-domain-joined machines wishing to access Azure Files with Azure AD DS (not on-premises AD DS), customers would want to set up line-of-sight to the domain controllers for Azure AD DS, which are located in Azure. They would have to set up this connectivity through either site-to-site or point-to-site VPN.

Also, Microsoft Entra ID (formerly Azure AD) allows Kerberos authentication without the need for line-of-sight to domain controllers. However, the support is limited to hybrid user identities (identities created in AD DS and synced to Azure AD using Azure AD Connect). Cloud-only identities aren't currently supported.

Do let us know if you have any further queries. I’m happy to assist you further.

Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

Answer 4

@Barak Peley, Adding more information to the above response

If I understand your question correctly, you want to use Azure Files as a file server and configure access and permissions for users who only have Entra IDs, without using an on-premises domain.

Azure Files supports two types of authentication: Active Directory Domain Services (AD DS) authentication and Azure Active Directory (Azure AD) authentication. AD DS authentication requires an on-premises domain controller, which is not what you want. However, Azure AD authentication allows you to use cloud-based identities, such as Entra IDs, to access Azure Files.

Yes, you can configure Azure Files to use Azure Active Directory (Azure AD, now known as Microsoft Entra) identities for authentication and access control without an on-premises domain. Here's a high-level overview of the process:

Enable Azure AD Authentication for Azure Files: In your Azure Storage account, you need to enable Azure AD authentication for Azure Files. This allows you to use Azure AD identities to access files.

Assign Azure Roles: Assign Azure roles to control what actions a user can perform on the file share. For example, you can assign the "Storage File Data SMB Share Contributor" role to allow a user to read, write, and delete files.

Set NTFS Permissions: If you need more granular control, you can set NTFS permissions on the files and directories within the file share. Azure Files supports preserving, inheriting, and enforcing NTFS permissions.

Access Azure Files: Users can access Azure Files directly from Windows, macOS, or Linux using their Azure AD credentials.

Use Azure File Sync: If you want to sync your on-premises files with Azure Files, you can use Azure File Sync without an on-premises domain. Azure File Sync can sync with Azure Files using Azure AD identities.

Please note that while Azure AD can be used for authentication, authorization in Azure Files is still managed through Access Control Lists (ACLs) and role assignments. Make sure to review the Azure documentation for the latest instructions and best practices for setting up Azure Files with Azure AD. If you need further assistance, consider reaching out to Azure support or your IT department for help with configuration and permissions management.

Additional information : To configure Azure AD authentication for Azure Files, you need to create an Azure AD tenant and register your Azure Files account with Azure AD. You can then create Azure AD users or groups and assign them permissions to access your Azure Files shares. You can also use Azure AD Domain Services to provide domain services for your Azure AD users.

To configure directory and file permissions for Azure AD users, you can use Access Control Lists (ACLs) on the files and directories in your Azure Files shares. You can set permissions for individual users or groups, and you can use the Azure Files REST API or Azure PowerShell to manage ACLs.

Keep in mind that Azure Files is not a full-featured file server like Windows Server, and it may not support all the features and capabilities that you need. However, it can be a good solution for simple file sharing scenarios, especially if you want to use cloud-based identities like Entra IDs.

I hope this helps. Let me know if you have any other questions or concerns.