Can I use azure files and still manage access in a directory and file level without local on premise managed domain (just Entra ID for cloud users only)?

Barak Peley 0 Reputation points
2024-06-03T08:40:05.65+00:00

Hi , I only have entra ID for cloud users.I want to user Azure Files as a File server.

is there a way to config access by the Entra ID users and config directory and files permissions by Entra ID user without on premises domain?

Azure Files
Azure Files
An Azure service that offers file shares in the cloud.
1,203 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,193 questions
0 comments No comments
{count} votes

3 answers

Sort by: Most helpful
  1. innovation gadget 155 Reputation points
    2024-06-03T09:03:20.0533333+00:00

    Hello Barak Peley

    Yes, you can configure Azure Files to use Azure AD (now known as Microsoft Entra ID) for identity-based access control without needing an on-premises domain. This allows you to manage permissions for Azure Files using Entra ID users. Below are the steps to achieve this:

    Step-by-Step Guide to Configure Azure Files with Entra ID Authentication

    Create an Azure Storage Account:

    • In the Azure portal, navigate to "Storage accounts".
      • Click on "+ Create" to create a new storage account.
        • Fill in the necessary details and ensure the account kind is set to "StorageV2 (general-purpose v2)".
          • Once created, navigate to the storage account.
          Enable Azure AD Authentication for Azure Files:
          - Go to the "Configuration" tab in the storage account.
          
             - Set "Azure Active Directory Domain Services" (Azure AD DS) to "Enabled".
          
                - Save the changes.
          
                **Assign Azure RBAC Roles for Azure Files:**
          
                   - Go to the "Access control (IAM)" tab in the storage account.
          
                      - Click on "+ Add role assignment".
          
                         - Select the appropriate role for the users who need access to Azure Files, such as "Storage File Data SMB Share Contributor" or "Storage File Data SMB Share Reader".
          
                            - Assign the role to the Entra ID users or groups who need access.
          
                            **Create and Configure File Shares:**
          
                               - Go to the "File shares" tab in the storage account.
          
                                  - Click on "+ File share" to create a new file share.
          
                                     - After creating the file share, you can set directory and file-level permissions using Azure Files ACLs.
          
                                     **Connect to Azure Files from a Client:**
          
                                        - On the client machine (e.g., a Windows PC), ensure you are signed in with an Entra ID account that has been granted access.
          
                                           - Map the Azure File Share using the following steps:
          
                                                 - Open File Explorer and click on "This PC".
          
                                                       - Click on "Map network drive".
          
                                                             - Choose a drive letter and enter the file share path (e.g., **`\\<storage-account-name>.file.core.windows.net\<file-share-name>`**).
          
                                                                   - Check "Connect using different credentials".
          
                                                                         - Use your Entra ID credentials to connect.
          
                                                                         **Set Directory and File Permissions:**
          
                                                                            Use the Azure portal or Azure PowerShell to set ACLs (Access Control Lists) on directories and files within the file share.
          
                                                                               You can use Azure PowerShell to set fine-grained permissions:
          
                                                                               ```powershell
                                                                               powershellCopy code
                                                                               # Install the Azure PowerShell module if not already installed
          

    Install-Module -Name Az -AllowClobber -Scope CurrentUser Import-Module Az

    Connect to Azure

    Connect-AzAccount

    Get the storage account context

    $storageAccount = Get-AzStorageAccount -ResourceGroupName "<your-resource-group>" -Name "<your-storage-account>" $ctx = $storageAccount.Context

    Set ACL for a directory

    $acl = New-AzStorageFileSmbShareAclObject $acl.Permissions = "rwx" # Replace with desired permissions $acl.PrincipalId = "<user-object-id>" # Object ID of the Entra ID user or group $acl.Path = "<directory-path>"

    Set-AzStorageFileSmbShareAcl -Context $ctx -ShareName "<file-share-name>" -AclObject $acl ```

    Important Considerations

    • Entra ID Roles vs. ACLs: Azure RBAC roles are used to grant access to the entire file share, while ACLs allow you to set permissions on specific directories and files.
    • Supported Clients: Ensure that the client operating system supports Azure AD authentication for Azure Files (Windows 10 version 1809 or later, Windows Server 2019 or later).
    • Performance: Azure Files performance can vary based on the storage account and file share configuration. Consider using Premium tier for better performance if needed.

    Troubleshooting

    • Permissions Issues: Ensure that the Entra ID users have been correctly assigned the necessary RBAC roles and that ACLs are correctly configured.
    • Authentication Errors: Verify that the client machine is correctly joined to Entra ID and that the user is signed in with the correct credentials.

    By following these steps, you can configure Azure Files to serve as a file server with permissions managed through Microsoft Entra ID, enabling you to control access without the need for an on-premises domain.

    0 comments No comments

  2. akinbade abiola 6,030 Reputation points
    2024-06-03T09:07:39.5433333+00:00

    Hello Barak Peley,

    Thanks for your question.

    Yes, natively if you leverage Entra Domain Services.

    Azure Files supports identity-based authentication for Windows file shares over Server Message Block (SMB) using the Kerberos authentication protocol through the following methods:

    On-premises Active Directory Domain Services (AD DS)

    Microsoft Entra Domain Services

    Microsoft Entra Kerberos for hybrid user identities

    User's image

    This is documented here: https://learn.microsoft.com/en-us/azure/storage/files/storage-files-identity-auth-domain-services-enable?tabs=azure-portal

    Please let me know if you have further questions**

    You can mark it 'Accept Answer' if this helped.

    0 comments No comments

  3. Anand Prakash Yadav 7,540 Reputation points Microsoft Vendor
    2024-06-04T07:12:30.1533333+00:00

    Hello Barak Peley,

    Thank you for posting your query here!

    You can access Azure Files using a domain identity even if the machine you are accessing from is not domain joined. Azure Files supports authentication from non-domain joined devices if the client has line-of-sight to the domain controller and the user types in their AD domain credentials. Note that for non-domain-joined machines wishing to access Azure Files with Azure AD DS (not on-premises AD DS), customers would want to set up line-of-sight to the domain controllers for Azure AD DS, which are located in Azure. They would have to set up this connectivity through either site-to-site or point-to-site VPN.

    Also, Microsoft Entra ID (formerly Azure AD) allows Kerberos authentication without the need for line-of-sight to domain controllers. However, the support is limited to hybrid user identities (identities created in AD DS and synced to Azure AD using Azure AD Connect). Cloud-only identities aren't currently supported.

    Do let us know if you have any further queries. I’m happy to assist you further.

    Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

    0 comments No comments