How to access a SMB Share with a Mac via Microsoft Entra Kerberos authentication for hybrid identities on Azure Files

Der_Andreas 40 Reputation points
2024-03-13T13:30:54.79+00:00

Now for Windows Clients this all works....accessing a SMB share via Azure Files and Microsoft Entra Kerberos authentication for hybrid identities.

The problem comes with accessing this share with a Mac and applying NTFS-permissions. The only clue I can find is in Microsofts Documentation https://learn.microsoft.com/en-us/azure/storage/files/storage-how-to-use-files-mac

HOWEVER, this only describes using the storage account key, thus NTFS permissions will be ignored.

How can this be done? My initial thought was that the Mac needs to be part of the Entra ID Devices. But even that didn't work. I added the Mac to our local Active Directory using the official method. That works. The sync client should sync the device to Entra ID, or so i thought.... apparently it doesn't do that.

So now the question: even if it would work somehow to get the Mac in there (is it at all possible??) would it work then? I read there is a possibility to use Intune Enrollment. Would that work? We don't have these licenses yet.

Now, since we wanted to use Azure Files (which works for 95% of the employees, since it's mostly Windows) how can the Mac user access that same share ?? It would work when the share is within the local Network, since the user also has a Windows User account and it is not neccessary to have the device registered for this. But on Azure Files ????

Please Help,

Greetings from Germany,

Andreas

Azure Files
Azure Files
An Azure service that offers file shares in the cloud.
1,156 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,395 questions
{count} votes

Accepted answer
  1. Anand Prakash Yadav 5,525 Reputation points Microsoft Vendor
    2024-03-15T10:24:37.0533333+00:00

    Hello Der_Andreas,

    Thank you for posting your query here!

    Microsoft Entra ID can be used to authenticate hybrid user identities, which are on-premises AD DS identities that are synced to Microsoft Entra ID. This configuration allows hybrid users to access Azure file shares using Kerberos authentication. However, configuring Windows access control lists (ACLs)/directory and file-level permissions for a user or group requires unimpeded network connectivity to the on-premises domain controller.

    Please note that it is not possible to join a Mac device to Azure AD. But it is possible is to enroll your device using Intune. To enroll a personal device in Intune: https://learn.microsoft.com/en-us/mem/intune/user-help/enroll-your-device-in-intune-macos-cp

    Similar post: https://serverfault.com/questions/1079628/register-mac-to-azure-ad-without-enrolling-in-intune

    Enrolling your Mac with Intune can help manage your device and apply certain policies.

    However, accessing an SMB share on Azure Files with NTFS permissions via Microsoft Entra Kerberos authentication for hybrid identities may still present challenges. This is due to the complexities of the SMB protocol and NTFS permissions, which are features of the Windows operating system and Azure Files.

    While macOS does support the SMB protocol, it may not fully support all features of SMB 3.0 or later, such as Microsoft Entra Kerberos authentication.

    I hope this helps! Please let me know if you have any other questions or need further clarification.


0 additional answers

Sort by: Most helpful