Azure Files Share - multiple subdomains

PT Maliborski 246 Reputation points
2024-03-18T09:34:14.03+00:00

Trying to migrate on-prem shares to Azure File Shares.

We have 3 subdomains (testA, testB, testC - no access to root domain though).

When running 

Join-AzStorageAccount -ResourceGroupName "rg-FileShare-infrastructure-prod-001" -StorageAccountName "teststorage" -Domain "testA.domain.com" -DomainAccountType "ComputerAccount" -OrganizationalUnitName "StorageAccount"

I can only select 1 subdomain (testA). This causes that only users from the subdomain where storage computer account in AD is created can access new share in Azure File Shares.

All others in subdomans testB and testC get "Incorrect password" when trying to map the drive.

I have already tried connecting the same storage account to all 3 subdomains (running the command 3 times with different subdomain) but then it only works for last domain I ran the command Join-AzStorgageAccount.

Is there a way that users from all 3 subdomains can access new share in Azure?

This is important when user from one subdomain needs to access files from other subdomain.

Of course all users are granted SMB Contributor rights on that share in Azure.

Maybe that requires storage computer account to be placed in the root domain?

Azure Files
Azure Files
An Azure service that offers file shares in the cloud.
1,169 questions
0 comments
Accepted answer
  1. Sumarigo-MSFT 43,801 Reputation points Microsoft Employee
    2024-03-20T15:23:01.2166667+00:00

    @PT Maliborski Firstly, Apologies for the delay response!
    Welcome to Microsoft Q&A Forum, Thank you for posting your query here

    Yes, users from all three subdomains can access a new share in Azure if they have the appropriate permissions. For example, users from different domains within the same forest can access the file share and underlying directories/files if they have the appropriate permissions

    When joining an Azure Storage account to an Active Directory domain using the Join-AzStorageAccount cmdlet, you can only specify one domain at a time. This means that users from other domains will not be able to access the Azure file share unless they are also joined to the same domain.

    To enable users from multiple domains to access the Azure file share, you can either:

    1. Join the Azure Storage account to a domain that is trusted by all of the domains that need access. This will allow users from all of the trusted domains to access the Azure file share.
    2. Create a separate Azure Storage account for each domain that needs access. This will allow you to join each storage account to the corresponding domain, and users from each domain will be able to access the corresponding Azure file share.

    If you choose to join the Azure Storage account to a domain that is trusted by all of the domains that need access, you will need to ensure that the trust relationship is properly configured and that the necessary permissions are granted to the users and groups that need access.

    It's also worth noting that placing the storage computer account in the root domain may not be necessary or desirable, depending on your specific requirements and security policies. You should consult with your IT team or security team to determine the best approach for your organization.

    Please let us know if you have any further queries. I’m happy to assist you further.    

    Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. PT Maliborski 246 Reputation points
    2024-03-22T09:39:39.8633333+00:00

    All 3 subdomains users have access, trust is configured.

    I think issue I've experienced was the time needed to sync storage computer account to be accessible by other users.

    Thanks again

    0 comments