Using Azure File Storage with Azure VPN

Greg Thomas 121 Reputation points
2022-12-29T18:57:45.337+00:00

Hi,

We are using Azure File Storage with an Azure-based VNET and Azure VPN.

On our VNET, all our VMs are joined to an Azure Domain Controller. We have locked down our Azure File Storage with a private endpoint and secured it to the specific VNET.

On the VMs, we can connect to the azure file storage shares by using AD Authentication and IAM.

We have client desktop clients (not in the cloud) that are not joined to the Azure Domain Controller. When we connect to the VPN via these clients (using Azure AD Credentials) we have to use the Azure Storage Key option when connecting to our file shares.

Is there any reason that we cannot use Azure Authentication to do this? This would be our preferred path.

Thank you - Greg.

Azure Files
Azure Files
An Azure service that offers file shares in the cloud.
1,163 questions
Azure Storage Accounts
Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
2,687 questions
Azure Blob Storage
Azure Blob Storage
An Azure service that stores unstructured data in the cloud as blobs.
2,428 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Ramya Harinarthini_MSFT 5,306 Reputation points Microsoft Employee
    2023-01-02T11:15:10.72+00:00

    @Greg Thomas Welcome to Microsoft Q&A, Thank you for posting your here!!

    Azure AD DS doesn't support non-cloud VMs (i.e. user laptops, workstations, VMs in other clouds, etc.) being domain-joined to the Azure AD DS hosted domain.

    For on-premises AD DS authentication, you must set up your AD domain controllers and domain-join your machines or VMs. You can host your domain controllers on Azure VMs or on-premises. Either way, your domain-joined clients must have line of sight to the domain controller, so they must be within the corporate network or virtual network (VNET) of your domain service.

    The following diagram depicts on-premises AD DS authentication to Azure file shares over SMB. The on-premises AD DS must be synced to Azure AD using Azure AD Connect sync or Azure AD Connect cloud sync. Only hybrid user identities that exist in both on-premises AD DS and Azure AD can be authenticated and authorized for Azure file share access. This is because the share-level permission is configured against the identity represented in Azure AD, whereas the directory/file-level permission is enforced with that in AD DS. Make sure that you configure the permissions correctly against the same hybrid user.

    275442-image.png

    To learn how to enable AD DS authentication, first read Overview - on-premises Active Directory Domain Services authentication over SMB for Azure file shares and then see Enable on-premises Active Directory Domain Services authentication over SMB for Azure file shares.

    Hope this helps!
    Kindly let us know if the above helps or you need further assistance on this issue.

    --------------------------------------------------------------------------------------------------------------------------

    Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

    0 comments
  2. Greg Thomas 121 Reputation points
    2023-01-05T12:10:23.023+00:00

    Hi @Ramya Harinarthini_MSFT - thank you for this.

    In our scenario, the laptop device is connected to our Active Directory DNS (AADNS). There are no on-premise components, everything is in the cloud.

    We are currently not doing any syncing of users between on-premise and cloud either.

    Thank you.