![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(115.19999999999999, 28.000000000000004%, 21%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPP%3C/text%3E%3C/svg%3E)
Azure Files
An Azure service that offers file shares in the cloud.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(291.2, 38%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMP%3C/text%3E%3C/svg%3E)
AFAIK, the recommended approach to such migration would involve an abstraction layer, rather than implemented SMB aliasing combined with Active Directory–based authentication.
Azure Files SMB endpoints use names like \\storageaccount.file.core.windows.net\share. When you domain-join Azure Files using AD DS or Entra ID Kerberos, authentication works against that service principal name. If you create a DNS CNAME such as server-name.domain.local pointing to storageaccount.file.core.windows.net, Kerberos authentication would fail unless the storage account is configured to support that alternate SPN. To support arbitrary DNS aliasing you would need to configured the storage account for AD DS authentication and then register appropriate SPNs.
My suggestion would be to introduce DFS-N before migration. You create a namespace such as \\domain.local\files\share-name and configure DFS folder targets that point to the existing file servers. Clients are then migrated to use the DFS path. After adoption, you migrate the data to Azure Files and update the DFS folder target to the Azure Files UNC path. Because clients access the DFS namespace rather than the physical server, no further client changes are required.
If you absolutely need to preserve the exact existing UNC path \\server-name\share-name, then you'd need to reuse the server name as a DNS alias and configure Azure Files for Active Directory Domain Services authentication, then register the corresponding SPN on the storage account’s computer object in AD. This typically involves setting the storage account to use AD DS authentication and validating SPNs similar to:
setspn -L <StorageAccountADObjectName>
Microsoft documentation covers the migration model which includes Azure Files identity-based authentication with Active Directory Domain Services, planning for an Azure Files deployment, and file server migration guidance using Azure File Sync and DFS Namespaces. Azure File Sync is frequently used as a transition mechanism - you install the Azure File Sync agent on existing file servers, sync data to Azure Files, cut over gradually, then either keep a lightweight server as a cache layer or remove it entirely while redirecting access via DFS-N.
If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.
hth
Marcin
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(54.400000000000006, 71%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGP%3C/text%3E%3C/svg%3E)