AADDS but no local DC - how to share and access folders with NTFS permission

Hansli Tester 21 Reputation points
2021-07-05T09:22:15.74+00:00

Hi, I have probably misunderstood the possibilities while reading docs for weeks now. Am I right, that it is not possible to share in local folder (in LAN on joined W10) to other LAN users, by just using Azure AD and Azure AD DS. Is it correct, to simply share inside LAN some folders, I definitely need an DC?
Cheers, Hansli

Microsoft Security | Microsoft Entra | Other
0 comments No comments
{count} votes

Accepted answer
  1. Siva-kumar-selvaraj 15,721 Reputation points
    2021-07-05T20:59:18.727+00:00

    Hello @Hansli Tester ,

    Thanks for reaching out and welcome to Microsoft Q&A forum community !!!

    Yes, you are right but when you create an Azure AD DS managed domain (Ex: aaddscontoso.com) then Two Windows Server domain controllers (DCs) are deployed into your selected Azure region. This deployment of DCs is known as a replica set.

    Azure Active Directory Domain Services (Azure AD DS) provides managed domain services with a subset of fully-compatible traditional AD DS features such as domain join, group policy, LDAP, and Kerberos / NTLM authentication.

    Hence sharing file must work as long as Azure VMs are joined to Azure AD Domain Services ( not Azure AD joined which is different concept) and you can add new AADDS user to manage permission as shown below but when you use AADDS you don't have Domain Administrator or Enterprise Administrator permissions on a managed domain, these permissions are reserved by the service and aren't made available to users within the tenant.

    111952-image.png

    so with this scenario, AADDS lets you perform some privileged operations with file share permission for which "Domain Administrator" or "Enterprise Administrator" permissions doesn't require.

    For example: lets say you had created a new share folder on VM which is part of AADDS joined and there are some NTFS permissions which is inherited by default to that folder so when you try "modifying/delete default inherited permissions" which require "Domain Administrator" or "Enterprise Administrator" access then with this scenario you may end-up in access denied due to less privileged access.

    Here are some frequently asked questions (FAQs) about Azure Active Directory (AD) Domain Services

    Alternatively, you could leverage Azure files and enabled Azure Active Directory Domain Services authentication which uses NTFS permissions over SMB for directories and files.

    Hope this helps.

    ------
    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments No comments

1 additional answer

Sort by: Most helpful
  1. Hansli Tester 21 Reputation points
    2021-07-06T09:10:21.763+00:00

    Good day sir!
    Thanks for your lengthy answer. I tried and failed once more. After reading your links, I am not sure anymore if this is the way I would go, seems to be a bit complicated (compared to on-premise DC). Nevertheless, I can invest 2-3 days more on the topic "cloud-only-services".
    Cheers, Hansli

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.