Azure FileShares - How to REALLY invite users to collaborate ?

Question

Hello everyone. I really need help.

On my Azure Subscription, I created an SMB File Share (Home->Storage Account -> File Share). This is for pictures storage (.jpg). The intent is that this File Share will then be remotely accessed through some Azure functions and launch future processing/sending of these pictures.

Now, I want to allow someone else to access this File Share and upload, delete, and rename files. What I thought would be straightforward cloud sharing just got me lost in limbo, and neither CoPilot nor Microsoft documentation are helping me.

Steps I took :

1. Invite user USER by email in Azure (it redirected me to Microsoft Entra) - I used one of my email accounts not known to Microsoft, and did recieve an email of invite on that account.
2. Add that user to a Group (GROUPCLOUD) in my Azure Portal
3. Grant to GROUPCLOUD the Storage File Data SMB Share Contributor through the Access control (IAM) of my File Share

But then I have no idea how to tell USER (my alternate account in this case) to actively collaborate.

I tried downloading Microsoft Azure Storage Explorer, but found no way to connect as USER or to access the File Share. It might be because, in the File Share, it still says "Identity-based access : not configured". I'm not sure that this should be changed : the 3 options I have when I click there are

1. AD DS , which requires me to launch some crazy AZFile scripts from Powershell (?) and does not seem to me the issue, as I was able to use IAM as intended
2. Microsoft Entra Domain Services, which as I understand it would be a platform as a service costing at minimum 100$ a month
3. Microsoft Entra Kerberous, which seems to be for hybrid logins, no idea what that is and not sure how applicable that is to my need.

I tried mapping the File Share as a new drive in Windows Explorer. There again, I'm using the https URL provided by documentation :https://[STORAGEACCOUNT].file.core.windows.net/[FILESHARE]. " but am getting 0x80070043 errors, suggesting I need to create localized access points to enable computers to use port 445... Why is this so complicated ? Is there not an interface that USER can connect to in order to see the files and upload new ones ?

What am I missing ?
Thank you for your suggestions, as I am reaching a point of burnout on this, guessing that the issue is just my overall lack of understanding of the topic.

Answer 1

Hi Simon Ghislain,

you are put in a lot of effort to set up your Azure File Share for collaboration, but the process can indeed be complex. The steps to ensure your user can access and collaborate on the file share effectively.

Steps to Enable Collaboration on Azure File Share

Identity-Based Access Configuration:

• AD DS This option is typically used for on-premises integration and requires additional setup with PowerShell scripts.
• Microsoft Entra Domain Services: This is a managed domain service in Azure, but it does come with a cost.
• Microsoft Entra Kerberos: This is for hybrid environments and might not be necessary for your scenario.

Since you are already used IAM to assign roles, you might not need to configure identity-based access unless you require more granular control.

Accessing the File Share:

• Azure Storage Explorer: Ensure that the user has the correct permissions and is signed in with the account that has been granted access. You can follow this guide to set up Azure Storage Explorer.
• Mapping the File Share in Windows Explorer: This requires enabling port 445 for SMB access. You can follow this tutorial to map the file share.

Assigning Permissions:

• Share-Level Permissions: Ensure that the user or group has the necessary permissions at the share level. You can assign these permissions through Azure RBAC.
• Directory and File-Level Permissions: Configure Windows ACLs for more granular control.

Common Issues

Error 0x80070043: This error typically indicates issues with network connectivity or port configuration. Ensure that port 445 is open and accessible on the user's network.

Identity-Based Access Not Configured: If IAM roles are correctly assigned, you might not need to configure additional identity-based access unless specific requirements dictate otherwise.

User Interface for Collaboration

For a more straightforward interface, users can use Azure Storage Explorer or map the file share as a network drive in Windows Explorer. Both methods should allow users to upload, delete, and rename files once permissions are correctly set.

For more information,

https://learn.microsoft.com/en-us/azure/storage/files/storage-files-introduction

https://learn.microsoft.com/en-us/azure/storage/files/storage-files-identity-configure-file-level-permissions

If you have any other questions or are still running into more issues, let me know in the "comments" and I would be glad to assist you.

Answer 2

Hello Simon Ghislain,

Thank you for posting your question in the Microsoft Q&A forum. 

First of all, thank you so much for providing very detailed information on the scenario and the issue you are facing as it helped to provide you required information to resolve the issue. :)

Microsoft Entra Kerberos is the optimal solution for your Azure file share scenario due to its cloud-native design, seamless Entra ID integration, and cost efficiency as it may eliminates the need for complex AD DS sync scripts or costly Entra Domain Services ($100+/month). Unlike Active Directory Domain Services (AD DS), it requires no hybrid infrastructure or complex scripting, and unlike Entra Domain Services, it incurs no additional costs. It leverages existing Entra ID credentials, simplifying user access while maintaining RBAC compliance. Additionally, it avoids port 445 restrictions by supporting HTTPS-based access, ensuring reliability without firewall complications. For your use case like external collaboration with minimal overhead, Entra Kerberos provides the most secure, scalable, and straightforward approach. 

Since you’ve already: 

• Invited the user (USER) via Microsoft Entra ID (Azure AD). 
• Assigned them to a group (GROUPCLOUD) with Storage File Data SMB Share Contributor role. 

The next step is configuring Microsoft Entra Kerberos authentication (the simplest method for cloud-only users). 

To enable Microsoft Entra Kerberos Authentication, try the steps below: 

• Go to your Storage Account → File Shares → Select your file share. 
• Under Identity-based access, choose Microsoft Entra Kerberos. 
• Follow the prompts to enable it (no extra cost, unlike Entra Domain Services). However, the overall cost depends on the Azure Files pricing model you choose, such as Provisioned v1/v2 or Pay-as-you-go storage tiers 

 

For mapping the File Share (For USER) 

The user (USER) must --> Sign in to Windows with their Microsoft Entra ID (Azure AD) account (the one you invited) --> Map the drive using below command: 

net use Z: \[YourStorageAccount].file.core.windows.net[YourFileShare] /user:Azure*@domain.com* 

(Replace ******@domain.com with their Entra ID email.) 

 

For troubleshooting 0x80070043 (Port 445 Blocked) 

If SMB (port 445) is blocked by their ISP/corporate firewall: 

• Use Azure Files with Private Endpoints (recommended for security). 
• Or, have USER connect via VPN or Azure Bastion. 

 

If the above answer helped, please do not forget to "Accept Answer" as this may help other community members to refer the info if facing a similar issue. Your contribution to the Microsoft Q&A community is highly appreciated.