Azure File share - accessing from not synced forests

Bojan Zivkovic 441 Reputation points
2024-02-27T08:24:46.6333333+00:00

Hi, we have the following business requirement (it is probably doable with SharePoint but still I am more interested in Azure services nowadays) - various IT departments mostly need to download/upload iso images of their products (VMware solutions, Veeam solutions, various Linux distros ...) to/from Bastion Servers using central location. Can Azure file share be used for this purpose bearing in mind that we have multiple isolated forests - no trust between them (each with its own Bastion Servers) with only one forest being synced to our tenant in Microsoft Entra?

Azure Files
Azure Files
An Azure service that offers file shares in the cloud.
1,274 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Sedat SALMAN 13,740 Reputation points
    2024-02-27T09:19:04.71+00:00

    for your requirements consider these key points: Use Azure RBAC roles for share-level permissions for users in the synced forest. For other forests, employ default share-level permissions applicable to all authenticated identities.

    https://learn.microsoft.com/en-us/azure/storage/files/storage-files-identity-multiple-forests Configure domain suffixes to enable cross-forest authentication, modify the storage account's SPN suffix, and add a CNAME record in DNS for uniformity across forests.

    https://learn.microsoft.com/en-us/azure/storage/files/storage-files-identity-multiple-forests

    Ensure network security by managing access via network rules, only allowing connections from permitted networks​.

    Implement SMB 3.0 and open port 445 for secure, region-independent access to Azure file shares​.

    https://techcommunity.microsoft.com/t5/itops-talk-blog/tips-amp-tricks-for-azure-file-shares/ba-p/277943


  2. Anand Prakash Yadav 7,785 Reputation points Microsoft Vendor
    2024-02-28T10:08:27.8+00:00

    Hello Bojan Zivkovic,

    Thank you for posting your query here!

    You can use Azure RBAC roles which allow you to grant share-level permissions to users in the synced forest.

    For users from non-synced forests, employing default share-level permissions applicable to all authenticated identities ensures that they can still access the Azure File Shares using Azure AD authentication. https://learn.microsoft.com/en-us/azure/storage/files/storage-files-identity-ad-ds-assign-permissions#share-level-permissions-for-all-authenticated-identities

    You can configure domain suffixes and modify the storage account's SPN suffix to enable cross-forest authentication, allowing users from different forests to authenticate against the Azure AD tenant. https://learn.microsoft.com/en-us/azure/storage/files/storage-files-identity-multiple-forests#configure-domain-suffixes

    Considerations for security:

    · Managing access via network rules and only allowing connections from permitted networks enhances network security, ensuring that access to Azure File Shares is restricted to authorized networks.  

    · Implementing SMB 3.0 and opening port 445 ensures secure, region-independent access to Azure File Shares. This is crucial for maintaining secure communication between the Bastion Servers and the Azure File Shares.  

    For further details please refer: Use Azure Files with multiple Active Directory (AD) forests | Microsoft Learn

    End-user experience:

    The end-user experience for accessing Azure File Shares from non-synced forests, once configured and mapped as network drives, would be similar to accessing any other network share.

    Once the Azure File Share is configured and permissions are set, users can map it as a network drive on their local machines or Bastion Servers.

    Once the drive is mapped, users can access files and folders on the Azure File Share using familiar file explorer interfaces.

    Do let us know if you have any further queries. I’m happy to assist you further.

    Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.