Can we change an existing storage account identity from AD Domain services to Microsoft Entra Kerberos?

Nazeer, Shalomon 20 Reputation points
2024-09-24T16:02:34.2833333+00:00

We have our current Azure virtual desktop environment with storage account where identity is configured as "Active directory domain services" for FSLogix profiles. We are testing Entra joined session hosts and as part of the process just checking to see if an existing storage account configured with "AD Domain Services" identity can be changed to "Microsoft Entra Kerberos"

Azure Files
Azure Files
An Azure service that offers file shares in the cloud.
1,288 questions
Azure Storage Accounts
Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
3,174 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,840 questions
{count} votes

Accepted answer
  1. Keshavulu Dasari 765 Reputation points Microsoft Vendor
    2024-09-26T13:27:21.6366667+00:00

    Hi Nazeer, Shalomon,
    For Entra joined session hosts, you cannot use Active Directory Domain Services directly for storage account identification. , Active Directory Domain Service Authentication is specifically designed for environments where session hosts have domain joins or Entra hybrid joins.
    https://learn.microsoft.com/en-us/azure/storage/file/storage-file-identity-auth-domain-services-enable?tabs=azure-portal
    For Entra joined session hosts, you can use Microsoft Entra Kerberos or Microsoft Entra Domain Services for identity-based authentication with Azure Files. These options are designed to work seamlessly with Entra joined environments and provide the same functionality as AD DS.

    Please let us know if you have any further queries. I’m happy to assist you further.


    Please 'Upvote'(Thumbs-up) and 'Accept' as an answer if the reply was helpful. This will also help us close this thread and acknowledge the time spent by community volunteers like us.

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
  1. Keshavulu Dasari 765 Reputation points Microsoft Vendor
    2024-09-24T17:47:09.72+00:00

    Hi Nazeer, Shalomon,
    Welcome to Microsoft Q&A Forum, Thank you for posting your query here!,
    you can change the identity configuration of your existing storage account from "Active Directory Domain Services" (AD DS) to "Microsoft Entra Kerberos." 

    Based on your scenario there are few causes:
    You must first disable the existing Active Directory Domain Services (AD DS) configuration on your storage account. Azure Files only supports one AD method for identity-based authentication at a time to enable Microsoft Entra Kerberos authentication using the Azure portal,

    1. Sign in to the Azure portal and select the storage account you want to enable Microsoft Entra Kerberos authentication for.
    2. Under Data storage, select File shares.
    3. Next to Active Directory, select the configuration status (for example, Not configured).

    Screenshot of the Azure portal showing file share settings for a storage account. Active Directory configuration settings are selected.

    4.Under Microsoft Entra Kerberos, select Set up.

    5.Select the Microsoft Entra Kerberos checkbox.
    Screenshot of the Azure portal showing Active Directory configuration settings for a storage account. Microsoft Entra Kerberos is selected.

    *Note that cloud-only identities are not currently supported. The user accounts must be hybrid user identities, which means they need to be created on-premises and synced to Microsoft Entra ID using Azure AD Connect

    *For more information:
    https://learn.microsoft.com/en-us/azure/storage/files/storage-files-identity-auth-hybrid-identities-enable?tabs=azure-portal%2Cintune

    Please let us know if you have any further queries. I’m happy to assist you further.

    1 person found this answer helpful.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.