Azure file share without on-site AD or hybrid

Adrian Donlan 0

I have a client who has just suffered a catastrophic file server failure. They only had a Windows storage server 2012r2 which was adequate for their needs as the majority of their staff are remote and didn't need access to the server. I retrieved the data from the server and placed it into an Azure file share, since they use Office365 Premium and Azure for some apps. They want to move fully to the cloud but I'm unsure on how to allow access to the file share using Azure AD . When I try to access the share as a Azure AD user with appropriate rights I get a invalid user name or password error, I can access the share using a storage key but that's not really ideal. I have read lots of the documentation but its not really helped with this scenario. Is this possible?

SaiKishor-MSFT 17,231 Reputation points

2023-03-17T20:15:11.4633333+00:00

@Adrian Donlan Yes, it is possible to allow access to the Azure file share using Azure AD. You need to enable identity-based authentication over Server Message Block (SMB) for Azure Files through Azure Active Directory Domain Services (Azure AD DS). Your domain-joined Windows VMs can then access Azure file shares by using Azure AD credentials.

To enable Azure AD DS authentication over SMB for your storage account, you need to set a property on storage accounts by using the Azure portal, Azure PowerShell, or Azure CLI. Setting this property implicitly "domain joins" the storage account with the associated Azure AD DS deployment. Azure AD DS authentication over SMB is then enabled for all new and existing file shares in the storage account.

You can find more information on how to enable Azure AD DS authentication over SMB for Azure Files in the following documentation: https://learn.microsoft.com/en-us/azure/storage/files/storage-files-identity-auth-active-directory-domain-service-enable?tabs=azure-portal

However, I see you are unable to access the file share as an Azure AD user. Can you please check if the share level permissions are assigned as required- https://learn.microsoft.com/en-us/azure/storage/files/storage-files-identity-ad-ds-assign-permissions?tabs=azure-portal and if possible, please confirm you followed all the steps as mentioned in the above article. Thank you!
SaiKishor-MSFT 17,231 Reputation points

2023-03-21T18:21:14.09+00:00

@Adrian Donlan I am reaching out to see if you have any further questions. If so, please let us know and we will be glad to assist further. If the below answer was helpful, please make sure to Accept it as answer as it helps other members in the community. Thank you!
Sumarigo-MSFT 45,786 Reputation points Microsoft Employee

2023-03-31T02:49:48.1933333+00:00

@Adrian Donlan Just checking in to see if the below answer helped. If this answers your query, do click "Accept the answer” for the same, which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.
Jon Schneider 10 Reputation points

2023-09-07T03:19:13.7766667+00:00

I feel like the proposed solution misses the point. The need is to have an Azure AD/Intune joined device access an Azure Files share with Azure AD auth (not necessarily SMB, but mountable to a drive letter). Joining end-user devices to Azure AD DS seems like it would be counter productive to having them Azure AD joined and eliminate 90% of the benefits of having auth work independently of a VPN.

1 answer

Michael Durkan 12,201 Reputation points MVP

2023-03-17T12:25:06.7366667+00:00
Hi

as per this article, you will probably need to enable Azure AD DS on the customer tenant for authentication:

https://learn.microsoft.com/en-us/azure/storage/files/storage-files-identity-auth-active-directory-domain-service-enable?tabs=azure-portal

The supported authentication scenarios for Azure Files can be found here:

https://learn.microsoft.com/en-us/azure/storage/files/storage-files-active-directory-overview#supported-authentication-scenarios

As you can see, Azure AD with Kerberos is only supported for Hybrid identities.

Hope this helps,

Thanks

Michael Durkan

If the reply was helpful please upvote and/or accept as answer as this helps others in the community with similar questions. Thanks!
Please sign in to rate this answer.

1 person found this answer helpful.

0 comments No comments
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

Azure file share without on-site AD or hybrid

1 answer

Your answer