authentication and accessing Azure Files usin Entra ID users

Kamal Jayaram 0 Reputation points
2024-07-19T09:06:21.85+00:00

Could you please help me with Highlevel steps to use Entra ID users for authentication and accessing Azure Files.

Azure Files
Azure Files
An Azure service that offers file shares in the cloud.
1,302 questions
{count} votes

6 answers

Sort by: Most helpful
  1. Nehruji R 8,146 Reputation points Microsoft Vendor
    2024-07-22T05:32:45.5466667+00:00

    Hello Kamal Jayaram,

    Greetings! Welcome to Microsoft Q&A Platform.

    Adding to above information, Azure Storage supports using Microsoft Entra ID to authorize requests to blob data. With Microsoft Entra ID, you can use Azure role-based access control (Azure RBAC) to grant permissions to a security principal, which may be a user, group, or application service principal. The security principal is authenticated by Microsoft Entra ID to return an OAuth 2.0 token. The token can then be used to authorize a request against the Blob service. you can use Azure Files with 100% cloud authentication using existing Microsoft 365 email accounts to access via SMB mapping and assign access permissions to each share folder via Microsoft 365 security group. Azure Files supports identity-based authorization over SMB (Server Message Block) through Azure Active Directory (Azure AD) integration. You can authorize requests with Azure AD for the Blob and Queue services via Azure role-based access control (Azure RBAC).

    To access Azure Files, you can use Azure AD credentials to authenticate and authorize access to the file share. You can assign Azure built-in roles like Storage File Data SMB Share Reader to users or groups in Azure AD to grant access to an Azure file share. At the directory/file level, Azure Files supports preserving, inheriting, and enforcing Windows ACLs just like any Windows file server. You can choose to keep Windows ACLs when copying data over SMB between your existing file share and your Azure file shares. Whether you plan to enforce authorization or not, you can use Azure file shares to back up ACLs along with your data.

    So, you can use Microsoft 365 security groups to assign access permissions to each share folder via Azure AD.

    Microsoft Entra Domain Services

    For Microsoft Entra Domain Services authentication, you should enable Microsoft Entra Domain Services and domain-join the VMs you plan to access file data from. Your domain-joined VM must reside in the same virtual network (VNET) as your Microsoft Entra Domain Services.

    The following diagram represents the workflow for Microsoft Entra Domain Services authentication to Azure file shares over SMB. It follows a similar pattern to on-premises AD DS authentication, but there are two major differences:

    You don't need to create the identity in Microsoft Entra Domain Services to represent the storage account. This is performed by the enablement process in the background.

    All users that exist in Microsoft Entra ID can be authenticated and authorized. The user can be cloud-only or hybrid. The sync from Microsoft Entra ID to Microsoft Entra Domain Services is managed by the platform without requiring any user configuration. However, the client must be joined to the Microsoft Entra Domain Services hosted domain. It can't be Microsoft Entra joined or registered. Microsoft Entra Domain Services doesn't support non-Azure clients (i.e. user laptops, workstations, VMs in other clouds, etc.) being domain-joined to the Microsoft Entra Domain Services hosted domain. However, it's possible to mount a file share from a non-domain-joined client by providing explicit credentials such as DOMAINNAME\username or using the fully qualified domain name (username@FQDN).

    This article explains how azure file shares can use domain services, either on-premises or in Azure, to support identity-based access to Azure file shares over SMB. Enabling identity-based access for your Azure file shares allows you to replace existing file servers with Azure file shares without replacing your existing directory service, maintaining seamless user access to shares. Overview of Azure Files identity-based authentication options for SMB access

    Azure Files supports identity-based authentication for Windows file shares over Server Message Block (SMB) using the Kerberos authentication protocol through the following methods:

    • On-premises Active Directory Domain Services (AD DS)
    • Microsoft Entra Domain Services
    • Microsoft Entra Kerberos for hybrid user identities

    Hope this information helps! Please let us know if you have any further queries. I’m happy to assist you further.   


    Please "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.