I think both of your approaches are valid. The first approach, using a GPO to prevent password aging, is a good option if you want to prevent users from changing the password of the computer account. This can be useful if you have a lot of users who access the Azure Files shares and you don't want them to be able to change the password.
The second approach, using the Update-AzStorageAccountADObjectPassword cmdlet to rotate the Kerberos keys, is a good option if you want to ensure that the Kerberos keys are rotated on a regular basis. This can help to protect the Azure Files shares from attack.
Ultimately, the best approach for you will depend on your specific needs and requirements. If you are concerned about users changing the password of the computer account, then the first approach is a good option. If you are concerned about security, then the second approach is a good option.
Here are some additional things to consider:
- If you use the first approach, you will need to make sure that you have a process in place for resetting the password of the computer account if it is ever lost or compromised.
- If you use the second approach, you will need to make sure that you have a process in place for rotating the Kerberos keys on a regular basis.
- You should also consider using Azure Active Directory (AD) Connect to synchronize your on-premises AD with Azure AD. This will allow you to manage the password of the computer account in Azure AD, which can make it easier to manage and secure.
Please don't forget to click on
and upvote
button if you find this helpful.