Can we change an existing storage account identity from AD Domain services to Microsoft Entra Kerberos?

Question

Can we change an existing storage account identity from AD Domain services to Microsoft Entra Kerberos?

Nazeer, Shalomon 125

We have our current Azure virtual desktop environment with storage account where identity is configured as "Active directory domain services" for FSLogix profiles. We are testing Entra joined session hosts and as part of the process just checking to see if an existing storage account configured with "AD Domain Services" identity can be changed to "Microsoft Entra Kerberos"

Keshavulu Dasari 4,925 Reputation points Microsoft External Staff Moderator

2024-09-25T14:44:59.4633333+00:00

Hi Nazeer, Shalomon,
Checking in to see if the response helped.
If you have any questions, let me know in the "comments" and I would be happy to help you.
Nazeer, Shalomon 125 Reputation points

2024-09-25T14:54:03.5466667+00:00

Hi @Keshavulu Dasari ,

will there be any impact on the folder-level permissions within the file share of our storage account. Specifically, I would like to know if the directory and file-level permissions of the share folder will remain unchanged after we transition the identity from AD DS to Microsoft Kerberos.
Keshavulu Dasari 4,925 Reputation points Microsoft External Staff Moderator

2024-09-25T15:41:03.7166667+00:00

Hi Nazeer, Shalomon,
When transitioning the identity configuration of your storage account from AD Domain Services to Microsoft Entra Kerberos, the directory and file-level paths to your file share must remain unchanged the permissions are stored as file system metadata half, directly and identity provider It does not bind it

There are a few important things to consider:

*Access Control Lists: Existing Access Control Lists will remain in effect as long as the user accounts and groups referenced in the Access Control Lists can still be edited by the new identity provider.
please go through the below link:
https://learn.microsoft.com/en-us/azure/storage/files/storage-files-identity-ad-ds-configure-permissions
*Reconfiguration: After switching to Microsoft Entra Kerberos, you may need to reconfigure some settings to ensure easy access and authorization. This includes ensuring that all necessary bundled updates are installed on your Windows operating systems
*Network connectivity: Make sure your client machines have a seamless network connection to domain controllers, either on-premises or managed by Microsoft Entra Domain Services.

*Test: The new configuration should be thoroughly tested in a controlled environment before a complete change is made, to ensure that all permissions and access functions as expected

Please let us know if you have any further queries. I’m happy to assist you further.
Keshavulu Dasari 4,925 Reputation points Microsoft External Staff Moderator

2024-09-26T12:47:46.3433333+00:00

Hi Nazeer, Shalomon,
Checking in to see if the response helped.
If you have any questions, let me know in the "comments" and I would be happy to help you.
Nazeer, Shalomon 125 Reputation points

2024-09-26T12:54:15.28+00:00

@Keshavulu Dasari

I have one final question regarding the configuration of Entra joined session hosts. Can I set the storage account identity as Active Directory Domain Services for these session hosts? I understand that this is possible for session hosts that are Entra hybrid joined, but I'm curious if it applies to Entra joined ones as well.
Nazeer, Shalomon 125 Reputation points

2024-09-26T13:35:44.34+00:00

@Keshavulu Dasari Thanks for all your suggestions. You have been very helpful.

Answer accepted by question author

1 additional answer

Your answer

Keshavulu Dasari 4,925 Reputation points Microsoft External Staff Moderator

2024-09-25T14:44:59.4633333+00:00

Hi Nazeer, Shalomon,
Checking in to see if the response helped.
If you have any questions, let me know in the "comments" and I would be happy to help you.
Nazeer, Shalomon 125 Reputation points

2024-09-25T14:54:03.5466667+00:00

Hi @Keshavulu Dasari ,

will there be any impact on the folder-level permissions within the file share of our storage account. Specifically, I would like to know if the directory and file-level permissions of the share folder will remain unchanged after we transition the identity from AD DS to Microsoft Kerberos.
Keshavulu Dasari 4,925 Reputation points Microsoft External Staff Moderator

2024-09-25T15:41:03.7166667+00:00

Hi Nazeer, Shalomon,
When transitioning the identity configuration of your storage account from AD Domain Services to Microsoft Entra Kerberos, the directory and file-level paths to your file share must remain unchanged the permissions are stored as file system metadata half, directly and identity provider It does not bind it

There are a few important things to consider:

*Access Control Lists: Existing Access Control Lists will remain in effect as long as the user accounts and groups referenced in the Access Control Lists can still be edited by the new identity provider.
please go through the below link:
https://learn.microsoft.com/en-us/azure/storage/files/storage-files-identity-ad-ds-configure-permissions
*Reconfiguration: After switching to Microsoft Entra Kerberos, you may need to reconfigure some settings to ensure easy access and authorization. This includes ensuring that all necessary bundled updates are installed on your Windows operating systems
*Network connectivity: Make sure your client machines have a seamless network connection to domain controllers, either on-premises or managed by Microsoft Entra Domain Services.

*Test: The new configuration should be thoroughly tested in a controlled environment before a complete change is made, to ensure that all permissions and access functions as expected

Please let us know if you have any further queries. I’m happy to assist you further.
Keshavulu Dasari 4,925 Reputation points Microsoft External Staff Moderator

2024-09-26T12:47:46.3433333+00:00

Hi Nazeer, Shalomon,
Checking in to see if the response helped.
If you have any questions, let me know in the "comments" and I would be happy to help you.
Nazeer, Shalomon 125 Reputation points

2024-09-26T12:54:15.28+00:00

@Keshavulu Dasari

I have one final question regarding the configuration of Entra joined session hosts. Can I set the storage account identity as Active Directory Domain Services for these session hosts? I understand that this is possible for session hosts that are Entra hybrid joined, but I'm curious if it applies to Entra joined ones as well.
Nazeer, Shalomon 125 Reputation points

2024-09-26T13:35:44.34+00:00

@Keshavulu Dasari Thanks for all your suggestions. You have been very helpful.

Answer 1

Hi Nazeer, Shalomon,
For Entra joined session hosts, you cannot use Active Directory Domain Services directly for storage account identification. , Active Directory Domain Service Authentication is specifically designed for environments where session hosts have domain joins or Entra hybrid joins.
https://learn.microsoft.com/en-us/azure/storage/file/storage-file-identity-auth-domain-services-enable?tabs=azure-portal
For Entra joined session hosts, you can use Microsoft Entra Kerberos or Microsoft Entra Domain Services for identity-based authentication with Azure Files. These options are designed to work seamlessly with Entra joined environments and provide the same functionality as AD DS.

Please let us know if you have any further queries. I’m happy to assist you further.

Please 'Upvote'(Thumbs-up) and 'Accept' as an answer if the reply was helpful. This will also help us close this thread and acknowledge the time spent by community volunteers like us.

Keshavulu Dasari 4,925 Reputation points Microsoft External Staff Moderator

2024-09-26T13:48:14.4466667+00:00

Hi Nazeer, Shalomon,
Please 'Upvote'(Thumbs-up) and 'Accept' as an answer if the reply was helpful. This will also help us close this thread and acknowledge the time spent by community volunteers like us.

Answer 2

Keshavulu Dasari 4,925 Microsoft External Staff Moderator

Hi Nazeer, Shalomon,
Welcome to Microsoft Q&A Forum, Thank you for posting your query here!,
you can change the identity configuration of your existing storage account from "Active Directory Domain Services" (AD DS) to "Microsoft Entra Kerberos."

Based on your scenario there are few causes:
You must first disable the existing Active Directory Domain Services (AD DS) configuration on your storage account. Azure Files only supports one AD method for identity-based authentication at a time to enable Microsoft Entra Kerberos authentication using the Azure portal,

Sign in to the Azure portal and select the storage account you want to enable Microsoft Entra Kerberos authentication for.
Under Data storage, select File shares.
Next to Active Directory, select the configuration status (for example, Not configured).

Screenshot of the Azure portal showing file share settings for a storage account. Active Directory configuration settings are selected.

4.Under Microsoft Entra Kerberos, select Set up.

5.Select the Microsoft Entra Kerberos checkbox.
Screenshot of the Azure portal showing Active Directory configuration settings for a storage account. Microsoft Entra Kerberos is selected.

*Note that cloud-only identities are not currently supported. The user accounts must be hybrid user identities, which means they need to be created on-premises and synced to Microsoft Entra ID using Azure AD Connect

*For more information:
https://learn.microsoft.com/en-us/azure/storage/files/storage-files-identity-auth-hybrid-identities-enable?tabs=azure-portal%2Cintune

Please let us know if you have any further queries. I’m happy to assist you further.

Nazeer, Shalomon 125 Reputation points

2024-10-08T14:36:17.5933333+00:00

@Keshavulu Dasari

We are currently testing the migration of our storage account from Active Directory identification to Microsoft Kerberos identification.

After the migration, we have observed that a new FSLogix profile folder with a new SID is being created in the same file share after logging into session host.

Our concern is that all user data remains in the old SID folder, and with the new SID folder being created, we do not see the any old data while logging into session hosts.

Could you please clarify if this behavior is expected when migrating a storage account in Azure File Share?
Keshavulu Dasari 4,925 Reputation points Microsoft External Staff Moderator

2024-10-08T18:03:59.21+00:00
Hi Nazeer, Shalomon,
Yes, this behavior is expected when migrating from Active Directory Domain Services to Microsoft Entra Kerberos for FSLogix profiles. When you switch the identity provider, the Security Identifier associated with user profiles changes. As a result, FSLogix creates new profile folders with the new SID, leading to the creation of separate profile containers.
Ensure that users can access their old data, you can follow:

Rename the Profile Folder: Rename the old profile folder to match the new SID format. This involves changing the folder name from the old SID to the new SID. Edit the Profile Registry: Mount the VHDX file of the old profile and edit the ProfileData.reg file. Update the SID and GUID entries to reflect the new SID, ensure that the new SID has the appropriate permissions to access the renamed profile folder.

In migrating the user profiles without losing access to the existing data. If you need detailed guidance, you can refer to the official Microsoft documentation on setting up FSLogix Profile Containers with Azure Files:
https://learn.microsoft.com/en-us/azure/virtual-desktop/fslogix-profile-container-configure-azure-files-active-directory?tabs=adds.

Please let us know if you have any further queries. I’m happy to assist you further.
Keshavulu Dasari 4,925 Reputation points Microsoft External Staff Moderator

2024-10-09T19:34:25.7933333+00:00

Hi Nazeer, Shalomon,
Checking in to see if the response helped. If you have any questions, let me know in the "comments" and I would be happy to help you.

Share via

Can we change an existing storage account identity from AD Domain services to Microsoft Entra Kerberos?

1 additional answer

Your answer