How to use Azure Active Directory Domain Services to control ACL on storage/fileshare

Question

How to use Azure Active Directory Domain Services to control ACL on storage/fileshare

Scott Ham 0

Hi everyone, I am trying to accomplish the following

Access the fileshare remotely off premise using username / password not keys
Allow only VPN to access the file share.
How to manage fileshare/folders ACL with very same way of having a domain controller and giving users read only or write access to folders/files.

Thanks

1 answer

Your answer

Answer 1

Luke Murray 11,436 MVP Volunteer Moderator

Hi, Scott.

You should be able to:

Stand up Azure Active Directory Domain Services
Setup an Azure Point-to-Site VPN
Stand up an Azure storage account, for Azure Files
Setup storage account with private endpoints for file share (this puts is on the same network as your VPN)
Create a File share and setup permissions (storage account key first, then for Windows ACLS).

Have a read of this MS document, its very close to what your after:

https://learn.microsoft.com/en-us/azure/storage/files/storage-files-identity-auth-active-directory-domain-service-enable?tabs=azure-portal

Scott Ham 0 Reputation points

2023-01-16T23:52:31.8766667+00:00

Hi thanks for responding. So I got everything working prior to vpn.

I can map from my Windows Box using \xxxxxxxx\filesharexxx I have to use login "azure\name of storage" then the key as the password.

But it only works when I select public network access (under networking on storage). When I change it to "Enabled from selected virtual networks and IP addresses" I did setup vpn I did the self signed root Cert and client cert. Did the download VPN from azure portal. I can see the VPN connection on my laptop and choose to connect and it connects fine. Then I try to remap same way it keeps asking for password over and over. But worked prior to removing public access.

I also did on same section add endpoint and created that too. Something else missing here?

I did choose Azure Directory domain services and it's now configured on the file share folder I created. I did choose default share level permissions as "storage file data smb contirbutor"

I'm still hoping I can get to the point where I can authenticate without a key and use vpn to map to my \storagename\fileshare and use ******@xxxxxx.com and my own password. That's the goal.

Thanks so much

Scott
Luke Murray 11,436 Reputation points MVP Volunteer Moderator

2023-01-17T00:20:08.3666667+00:00
At guess it may be DNS.

Its not working, as the DNS lookup is hitting the Public IP and not the private IP (you can do an nslookup on the storage account URL to see if the private IP is listed).

You could try changing the local host file for testing to point to the private IP of the storage private endpoint, then look at Private DNS Resolver.

https://learn.microsoft.com/en-us/azure/dns/dns-private-resolver-overview

https://luke.geek.nz/azure/azure-point-to-site-vpn-and-private-dns-resolver/
Scott Ham 0 Reputation points

2023-01-17T00:51:21.8733333+00:00

Ok - I will poke some more - thanks.

Share via

How to use Azure Active Directory Domain Services to control ACL on storage/fileshare

1 answer

Your answer