This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 77%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDP%3C/text%3E%3C/svg%3E)
Currently working with a client who are looking at introducing the Microsoft Managed Desktop service (so devices are AAD joined), we have some requirements for on-premises infrastructure so there will be a small AD DS environment, file print etc.
The client has some data classifications that can't be stored in the cloud due to geo-restrictions and so will be utilizing some on-premises shares.
Is there a technology set that will allow us to translate Conditional Access policies defined in Azure down to shares on a local Windows Server (or HP Nimble)?
The estate will be greenfield other than the use of HP Nimble, design principle is Microsoft First to make use of M365 E5.
A cloud-based identity and access management service for securing user authentication and resource access
Additional Microsoft Entra services and features related to identity, access, and network security
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(48, 13%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERJ%3C/text%3E%3C/svg%3E)
Look up product called Silverfort. It installs an agent on domain controller to intercept authentication events and send them to policy server. Policy can be configured to require Azure MFA. It can integrate with Azure Conditional Access.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(124.80000000000001, 68%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJS%3C/text%3E%3C/svg%3E)
You could look at using Azure VPN to control access to the local resources, Azure VPN supports conditional access.
Just a thought : )
is anyone using Azure VPN to control access to on-premises resources?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(278.4, 57.00000000000001%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESS%3C/text%3E%3C/svg%3E)
Hello @DanPorter ,
You have mentioned that you are going to setup file , print server on-premise with a small Active Directory environment . The file and print server on-premise use Kerberos and NTLM as a authentication protocol. Conditional access depends on many components in Azure and is dependent on oAuth protocol on which Azure Identity system is based which on-premise AD does not support out of the box. As far as I know there is no way to translate conditional access policies defined in Azure to apply during file share access. Any request to map the share by any user will always use NLTM/kerberos protocol which will go to the local domain controller for authentication and there is no native way to translate this NTML/Kerb to Oauth and send to azure for authentication/authorization.
Hope the information helps. In case you have any further queries , please let us know and we will be happy to help . If the provided information is useful , please do accept the post as answer so that its helpful to others in the community.
Thank you.