About using Azure files in Microsoft Entra join configuration.

馬場 勇真 180 Reputation points
2023-11-20T04:19:26.67+00:00

I understand that Microsoft Entra Kerberos authentication can be used in the Microsoft Microsoft Entra join configuration. Is this correct?

It's not like you can only use Microsoft Entra hybrid joined, right?

Azure Files
Azure Files
An Azure service that offers file shares in the cloud.
1,342 questions
Azure Storage Accounts
Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
3,320 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,805 questions
{count} votes

Accepted answer
  1. Sumarigo-MSFT 47,456 Reputation points Microsoft Employee
    2023-11-21T11:50:03.3+00:00

    @馬場 勇真 Firstly, Apologies for the delay response! May I know what exactly are you trying to accomplish?
    Can you please elaborate bit more on your query?

    Yes, you are correct. Microsoft Enterprise Kerberos authentication can be used with both Azure AD joined and hybrid Azure AD joined devices.

    Azure AD joined devices are devices that are joined to Azure AD and are managed through the cloud. These devices can use Azure AD for authentication and can access Azure Files using Azure AD credentials.

    Hybrid Azure AD joined devices are devices that are joined to both on-premises Active Directory and Azure AD. These devices can use on-premises Active Directory for authentication and can access Azure Files using Kerberos authentication.

    So, if you have a hybrid Azure AD environment, you can use Microsoft Enterprise Kerberos authentication with your Azure Files shares, regardless of whether your devices are hybrid Azure AD joined or Azure AD joined

    Reference link: Before you enable Microsoft Entra Kerberos authentication over SMB for Azure file shares, make sure you've completed the following prerequisites.

    Note: Your Azure storage account can't authenticate with both Microsoft Entra ID and a second method like AD DS or Microsoft Entra Domain Services. If you've already chosen another AD method for your storage account, you must disable it before enabling Microsoft Entra Kerberos.

    The Microsoft Entra Kerberos functionality for hybrid identities is only available on the following operating systems:

    To learn how to create and configure a Windows VM and log in by using Microsoft Entra ID-based authentication, see Log in to a Windows virtual machine in Azure by using Microsoft Entra ID.

    Clients must be Microsoft Entra joined or Microsoft Entra hybrid joined. Microsoft Entra Kerberos isn’t supported on clients joined to Microsoft Entra Domain Services or joined to AD only.

    This feature doesn't currently support user accounts that you create and manage solely in Microsoft Entra ID. User accounts must be hybrid user identities, which means you'll also need AD DS and either Microsoft Entra Connect or Microsoft Entra Connect cloud sync. You must create these accounts in Active Directory and sync them to Microsoft Entra ID. To assign Azure Role-Based Access Control (RBAC) permissions for the Azure file share to a user group, you must create the group in Active Directory and sync it to Microsoft Entra ID.

    You must disable multi-factor authentication (MFA) on the Microsoft Entra app representing the storage account.

    With Microsoft Entra Kerberos, the Kerberos ticket encryption is always AES-256. But you can set the SMB channel encryption that best fits your needs.

    0 comments No comments

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.