About using Azure files in Microsoft Entra join configuration.

馬場 勇真 100 Reputation points

I understand that Microsoft Entra Kerberos authentication can be used in the Microsoft Microsoft Entra join configuration. Is this correct?

It's not like you can only use Microsoft Entra hybrid joined, right?

Azure Files
Azure Files
An Azure service that offers file shares in the cloud.
1,043 questions
Azure Storage Accounts
Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
2,296 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,148 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Sumarigo-MSFT 40,716 Reputation points Microsoft Employee

    @馬場 勇真 Firstly, Apologies for the delay response! May I know what exactly are you trying to accomplish?
    Can you please elaborate bit more on your query?

    Yes, you are correct. Microsoft Enterprise Kerberos authentication can be used with both Azure AD joined and hybrid Azure AD joined devices.

    Azure AD joined devices are devices that are joined to Azure AD and are managed through the cloud. These devices can use Azure AD for authentication and can access Azure Files using Azure AD credentials.

    Hybrid Azure AD joined devices are devices that are joined to both on-premises Active Directory and Azure AD. These devices can use on-premises Active Directory for authentication and can access Azure Files using Kerberos authentication.

    So, if you have a hybrid Azure AD environment, you can use Microsoft Enterprise Kerberos authentication with your Azure Files shares, regardless of whether your devices are hybrid Azure AD joined or Azure AD joined

    Reference link: Before you enable Microsoft Entra Kerberos authentication over SMB for Azure file shares, make sure you've completed the following prerequisites.

    Note: Your Azure storage account can't authenticate with both Microsoft Entra ID and a second method like AD DS or Microsoft Entra Domain Services. If you've already chosen another AD method for your storage account, you must disable it before enabling Microsoft Entra Kerberos.

    The Microsoft Entra Kerberos functionality for hybrid identities is only available on the following operating systems:

    To learn how to create and configure a Windows VM and log in by using Microsoft Entra ID-based authentication, see Log in to a Windows virtual machine in Azure by using Microsoft Entra ID.

    Clients must be Microsoft Entra joined or Microsoft Entra hybrid joined. Microsoft Entra Kerberos isn’t supported on clients joined to Microsoft Entra Domain Services or joined to AD only.

    This feature doesn't currently support user accounts that you create and manage solely in Microsoft Entra ID. User accounts must be hybrid user identities, which means you'll also need AD DS and either Microsoft Entra Connect or Microsoft Entra Connect cloud sync. You must create these accounts in Active Directory and sync them to Microsoft Entra ID. To assign Azure Role-Based Access Control (RBAC) permissions for the Azure file share to a user group, you must create the group in Active Directory and sync it to Microsoft Entra ID.

    You must disable multi-factor authentication (MFA) on the Microsoft Entra app representing the storage account.

    With Microsoft Entra Kerberos, the Kerberos ticket encryption is always AES-256. But you can set the SMB channel encryption that best fits your needs.

    0 comments No comments