Azure Files + AAD DS Auth

Jonathan Gomm 1 Reputation point
2020-12-04T10:48:51.12+00:00

I have AAD DS enabled on my tenant and have created a storage account and file share with "Identity-based access for file shares
Azure Active Directory Domain Services (Azure AD DS)" enabled.

When connected to an AAD joined management VM I try to set NTFS permissions over SMB as detailed in the below article (Mounted using the storage key)

I get an error stating:-

"The program cannot open the required dialog box because it cannot determine whether the computer named XYZ.file.core.windows.net is joined to a domain"

When checking AAD from the management VM, there is no computer account for the storage account. - The below article states the storage account is domain joined but this does not seem to happen and I cannot set any permissions on the share or access it without using the storage key

"To enable Azure AD DS authentication over SMB for Azure Files, you can set a property on storage accounts by using the Azure portal, Azure PowerShell, or Azure CLI. Setting this property implicitly "domain joins" the storage account with the associated Azure AD DS deployment. Azure AD DS authentication over SMB is then enabled for all new and existing file shares in the storage account."

Ref
https://learn.microsoft.com/en-us/azure/storage/files/storage-files-identity-auth-active-directory-domain-service-enable?tabs=azure-powershell

Any ideas ?

After running "Debug-AzStorageAccountAuth" I can see that there is definately not a storage account in AAD

Ref

Debug-AzStorageAccountAuth : ActiveDirectoryProperties is not set for storage account 'XYZ' in resource group 'XYZ'. To set the properties, please use cmdlet Set-AzStorageAccount if the account is already associated with an Active Directory, or use cmdlet   
Join-AzStorageAccountForAuth to join the account to an Active Directory (https://learn.microsoft.com/en-us/azure/storage/files/storage-files-identity-ad-ds-enable)  

 

The link mentioned for resolution relates to on-prem AD DS auth not Azure AD DS auth which I am using. - Should the Azure portal automatically doamin join the storage account when enabling "Identity-based access for file shares Azure Active Directory Domain Services (Azure AD DS)" ? If so this hasnt happened.

I am looking for the AAD DS equivalent process to add the storage account PSN ?

Azure Files
Azure Files
An Azure service that offers file shares in the cloud.
1,156 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. deherman-MSFT 33,141 Reputation points Microsoft Employee
    2020-12-04T18:31:19.893+00:00

    @Jonathan Gomm
    The Debug-AzStorageAccountAuth command does not work for Azure AD DS, it is intended for on-prem use. As stated in the documentation you should simply need to enable this via the portal, CLI, or PowerShell. You can try setting the NTFS permissions with icacls to see if that works.

    I am reaching out to you via PM to see if we can take a deeper look into your specific configuration.

    -------------------------------

    Please don’t forget to "Accept the answer" and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

    0 comments No comments