Azure Files with AD Integration - Password Refresh Computer Account

Jörg Mayer Azure Consulting 45 Reputation points
2023-05-16T09:56:20.3533333+00:00

Hello,

we are testing Azure Files with integration to our ON PREM Active Directory. Setup with the help of AzFilesHybrid module was completely smooth and easy (big thanks to the authors -)).

We use a computer account as object for the storage account in AD. With a "real" physical file server, updating the password after 30 days would not be a problem. But what is the best practice for this setup? Our first approach is a GPO for the Azure Files OU that prevents password aging (see screenshot) and additional "Block Inheritance" on this OU.

Second option - Regular rotation of both Kerberos keys by the Update-AzStorageAccountADObjectPassword CMDLET from the AzFilesHybrid module.

Opinions and ideas about this?

Thanks a lot

Joerg

Windows
Windows
A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.
5,335 questions
Azure Files
Azure Files
An Azure service that offers file shares in the cloud.
1,283 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,463 questions
{count} votes

Accepted answer
  1. Vedant Desai 656 Reputation points
    2023-05-16T09:58:47.22+00:00

    I think both of your approaches are valid. The first approach, using a GPO to prevent password aging, is a good option if you want to prevent users from changing the password of the computer account. This can be useful if you have a lot of users who access the Azure Files shares and you don't want them to be able to change the password.

    The second approach, using the Update-AzStorageAccountADObjectPassword cmdlet to rotate the Kerberos keys, is a good option if you want to ensure that the Kerberos keys are rotated on a regular basis. This can help to protect the Azure Files shares from attack.

    Ultimately, the best approach for you will depend on your specific needs and requirements. If you are concerned about users changing the password of the computer account, then the first approach is a good option. If you are concerned about security, then the second approach is a good option.

    Here are some additional things to consider:

    • If you use the first approach, you will need to make sure that you have a process in place for resetting the password of the computer account if it is ever lost or compromised.
    • If you use the second approach, you will need to make sure that you have a process in place for rotating the Kerberos keys on a regular basis.
    • You should also consider using Azure Active Directory (AD) Connect to synchronize your on-premises AD with Azure AD. This will allow you to manage the password of the computer account in Azure AD, which can make it easier to manage and secure.

    Please don't forget to click on 130616-image.png

    and upvote 130671-image.png

    button if you find this helpful.

    1 person found this answer helpful.
    0 comments No comments

1 additional answer

Sort by: Most helpful
  1. Jörg Mayer Azure Consulting 45 Reputation points
    2023-05-16T17:15:32.3333333+00:00

    Thank you and have a great day

    Joerg

    1 person found this answer helpful.
    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.