@馬場 勇真 Firstly, Apologies for the delay response! May I know what exactly are you trying to accomplish?
Can you please elaborate bit more on your query?
Yes, you are correct. Microsoft Enterprise Kerberos authentication can be used with both Azure AD joined and hybrid Azure AD joined devices.
Azure AD joined devices are devices that are joined to Azure AD and are managed through the cloud. These devices can use Azure AD for authentication and can access Azure Files using Azure AD credentials.
Hybrid Azure AD joined devices are devices that are joined to both on-premises Active Directory and Azure AD. These devices can use on-premises Active Directory for authentication and can access Azure Files using Kerberos authentication.
So, if you have a hybrid Azure AD environment, you can use Microsoft Enterprise Kerberos authentication with your Azure Files shares, regardless of whether your devices are hybrid Azure AD joined or Azure AD joined
Reference link: Before you enable Microsoft Entra Kerberos authentication over SMB for Azure file shares, make sure you've completed the following prerequisites.
Note: Your Azure storage account can't authenticate with both Microsoft Entra ID and a second method like AD DS or Microsoft Entra Domain Services. If you've already chosen another AD method for your storage account, you must disable it before enabling Microsoft Entra Kerberos.
The Microsoft Entra Kerberos functionality for hybrid identities is only available on the following operating systems:
- Windows 11 Enterprise/Pro single or multi-session.
- Windows 10 Enterprise/Pro single or multi-session, versions 2004 or later with the latest cumulative updates installed, especially the KB5007253 - 2021-11 Cumulative Update Preview for Windows 10.
- Windows Server, version 2022 with the latest cumulative updates installed, especially the KB5007254 - 2021-11 Cumulative Update Preview for Microsoft server operating system version 21H2.
To learn how to create and configure a Windows VM and log in by using Microsoft Entra ID-based authentication, see Log in to a Windows virtual machine in Azure by using Microsoft Entra ID.
Clients must be Microsoft Entra joined or Microsoft Entra hybrid joined. Microsoft Entra Kerberos isn’t supported on clients joined to Microsoft Entra Domain Services or joined to AD only.
This feature doesn't currently support user accounts that you create and manage solely in Microsoft Entra ID. User accounts must be hybrid user identities, which means you'll also need AD DS and either Microsoft Entra Connect or Microsoft Entra Connect cloud sync. You must create these accounts in Active Directory and sync them to Microsoft Entra ID. To assign Azure Role-Based Access Control (RBAC) permissions for the Azure file share to a user group, you must create the group in Active Directory and sync it to Microsoft Entra ID.
You must disable multi-factor authentication (MFA) on the Microsoft Entra app representing the storage account.
With Microsoft Entra Kerberos, the Kerberos ticket encryption is always AES-256. But you can set the SMB channel encryption that best fits your needs.