@Dave NZ Welcome to Microsoft Q&A Forum, Thank you for posting your query here!
Firstly, Let me explain in detail on Azure Files Authentication for users( Organization)
You are correct that Azure AD Domain Services (AAD DS) is primarily designed to provide domain services for virtual machines (VMs) within a virtual network (VNet). It allows VMs to join an Active Directory domain and use traditional domain authentication mechanisms.
- If you're mounting the file share from a client that has previously connected to the file share using your storage account key, make sure that you've disconnected the share, removed the persistent credentials of the storage account key, and are currently using AD DS credentials for authentication. For instructions on how to remove cached credentials with storage account key and delete existing SMB connections before initializing a new connection with AD DS or Azure AD credentials, follow the two-step process on the FAQ page.
- Your client must have line of sight to your AD DS. If your machine or VM is outside of the network managed by your AD DS, you'll need to enable VPN to reach AD DS for authentication
There are the option's available for Authentication or Authorizing the Azure Storage account( Files, Blob, Table & Queue)
For more information, please refer to this article: Authorize access to data in Azure Storage
Before you enable AD DS authentication, make sure you understand the supported scenarios and requirements in the overview article and complete the necessary prerequisites. If your Active Directory environment spans multiple forests, see Use Azure Files with multiple Active Directory forests.
**
You can use Shared Key authentication**
There is a video on Azure Files AD Authentication Integration Which provides detailed information on your scenario.
Additional information : Storage account access keys provide full access to the configuration of a storage account, as well as the data. Always be careful to protect your access keys. Use Azure Key Vault to manage and rotate your keys securely. Access to the shared key grants a user full access to a storage account’s configuration and its data. Access to shared keys should be carefully limited and monitored. Use SAS tokens with limited scope of access in scenarios where Azure AD based authorization can't be used. Avoid hard-coding access keys or saving them anywhere in plain text that is accessible to others. Rotate your keys if you believe they might have been compromised.
**
Important**
Microsoft recommends using Azure Active Directory (Azure AD) to authorize requests against blob, queue, and table data if possible, rather than using the account keys (Shared Key authorization). Authorization with Azure AD provides superior security and ease of use over Shared Key authorization. For more information about using Azure AD authorization from your applications, see How to authenticate .NET applications with Azure services. For SMB Azure file shares, Microsoft recommends using on-premises Active Directory Domain Services (AD DS) integration or Azure AD Kerberos authentication.
To prevent users from accessing data in your storage account with Shared Key, you can disallow Shared Key authorization for the storage account. Granular access to data with least privileges necessary is recommended as a security best practice. Azure AD based authorization should be used for scenarios that support OAuth. Kerberos or SMTP should be used for Azure Files over SMB. For Azure Files over REST, SAS tokens can be used. Shared key access should be disabled if not required to prevent its inadvertent use. For more information, see Prevent Shared Key authorization for an Azure Storage account.\
Please let us know if you have any further queries. I’m happy to assist you further.
Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.