Clarify about Update the password of your storage account identity in AD DS

Leo Lee 160 Reputation points
2023-11-06T03:18:11.7533333+00:00

Hello Everyone,

Currently I had set up FSLogix Profile Container with Azure Files and Active Directory Domain Services.

And we have to force password rotation in need futrure.

However i saw the article https://learn.microsoft.com/en-us/azure/storage/files/storage-files-identity-ad-ds-update-password mentioned about :
"
A storage account identity in AD DS can be either a service account or a computer account. Service account passwords can expire in AD; however, because computer account password changes are driven by the client machine and not AD, they don't expire in AD.

"

Does it mean if storage account is a computer account then we can ignore the password policy and remain unchange the passsword?

Your Sincerely,

Leo

Azure Storage Accounts
Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
3,267 questions
Azure Virtual Desktop
Azure Virtual Desktop
A Microsoft desktop and app virtualization service that runs on Azure. Previously known as Windows Virtual Desktop.
1,597 questions
0 comments No comments
{count} votes

Accepted answer
  1. Anand Prakash Yadav 7,805 Reputation points Microsoft Vendor
    2023-11-07T12:19:37.76+00:00

    @Leo Lee Thank you for posting your query here!

    When you integrate an Azure storage account with Azure Active Directory Domain Services (AD DS) and configure it as a computer account, the storage account essentially becomes an object within AD DS, and its identity is managed similarly to a computer account in a traditional on-premises Active Directory environment.

    The storage account (computer account) has a password, just like a regular computer object in AD DS, because computer account password changes are driven by the client machine and not AD, they don't expire in AD, although client computers change their passwords by default every 30 days.

    In a typical Active Directory Domain Services (AD DS) environment, computer accounts, including a storage account configured as a computer account, are not subject to password expiration policies. However, for both account types, it is recommended that you check the password expiration age configured and update the password of your storage account identity of the AD account before the maximum password age. You can consider creating a new AD Organizational Unit in AD and disabling password expiration policy on computer accounts or service logon accounts accordingly.  

    Kindly let us know if you have any further queries. I’m happy to assist you further.

    ----------------------------------------------------------------------------------------------------

    Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

    0 comments No comments

2 additional answers

Sort by: Most helpful
  1. JimmySalian-2011 42,181 Reputation points
    2023-11-06T10:48:39.7633333+00:00

    Hi Leo,

    No the Password Policy will impact the storage account as it is considered as a object that will apply / inherit the policy and will cause deletion of that object if password is not rotated.

    Hence the solution to prevent this issue is to to prevent unintended password rotation, during the onboarding of the Azure storage account in the domain, make sure to place the Azure storage account into a separate organizational unit in AD DS. Disable Group Policy inheritance on this organizational unit to prevent default domain policies or specific password policies from being applied.

    Hope this helps.

    JS

    ==

    Please Accept the answer if the information helped you. This will help us and others in the community as well.

    0 comments No comments

  2. Leo Lee 160 Reputation points
    2023-11-07T04:33:20.4833333+00:00

    Hi Jimmy,

    Thanks for the reply, Due to security team request we have to does it mean storage account force password rotation for every AD accounts, we cannot put the storage account in seperate OU to exclude the password policy.

    So in theory even Password Policy applied to this storage account object, it will not cause deletion of that object. Just not meet a best practice approaach?

    Leo

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.