AADDS + VPN + Azure Files = Not Working

Ralph Bohovowitz 1 Reputation point
2021-08-04T20:31:51.347+00:00

I'm working on my small business to replace an on premises server by using Azure Files from my devices. I do not want to use OneDrive for SharePoint for my data, as my users are used to a traditional file server with groups and permissions nested cleanly on a single drive letter.

I created an Azure Active Directory Directory Services for my domain, built the necessary vNet, built a storage account, built a file share, assigned SMB Contributor permissions, enabled the share to use Azure Active Directory Domain Services for identity-based access.

I then signed into a new PC (not in Azure, of course, but verified as domain-joined to my AADDS domain), VPN'd into my vNet, and verified I receive proper DNS and have SMB connectivity to my storage object. I can map a letter to the Azure Files share using a storage key, so I used ICACLS to give rights to my user to the root of the file system as full. I can right-click on properties of my drive letter, go to security, and see my AzureAD\User with Full permissions.

However, when I try and map the letter without the storage key (using identity-based access for simple, but necessary file-system based security), I get an error of 'the specified network password is not correct' using new-psdrive, and a username/password prompt when using net use. I know I have share permissions with the SMB contributor object for this user, and I know I have ACLs on the file system root as this user, but I still have this problem.

Are there ideas to get this identity-based auth working? Or is Azure Files not ready to replace traditional file servers yet? (Keeping traditional on-prem AD alive forever while also dealing with the complexity of Azure is not a solution I'm entertaining.)

Azure Files
Azure Files
An Azure service that offers file shares in the cloud.
1,301 questions
Azure Storage Accounts
Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
3,220 questions
Azure Blob Storage
Azure Blob Storage
An Azure service that stores unstructured data in the cloud as blobs.
2,919 questions
{count} votes

3 answers

Sort by: Most helpful
  1. Sumarigo-MSFT 47,021 Reputation points Microsoft Employee
    2021-08-05T09:59:35.193+00:00

    @Ralph Bohovowitz Welcome to Microsoft Q&A Forum Support, Thank you for posting you query.

    • For testing purpose, Can you Add Storage account contributor roles and check for the status?
    • Can you share the script and the complete screenshot of the error message ?

    Additional information: There is a video and supported scenarios and restrictions :on-premises Active Directory Domain Services authentication over SMB for Azure file shares in this article which explain more detailed information on configuration part, also cross-verify the prerequisites.

    Understand some key terms relating to Azure AD Domain Service authentication over SMB for Azure file shares:

    Enable Azure Active Directory Domain Services authentication on Azure Files
    Based on the error message you can refer to this MSDN thread which provides some idea on your scenario.

    Looking forward for your reply

    ----------------------------------------------------------------------------------------------------------------------------

    Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

    0 comments No comments

  2. Ralph Bohovowitz 1 Reputation point
    2021-08-05T15:59:34.46+00:00

    Thanks for the welcome and thanks for helping with my issue, @Sumarigo-MSFT.

    I added Storage Account Contributor to this account and have screen shots below, and I also have provided other screenshots on conformations of configurations.

    I noted that the MSDN thread says "Azure files with Azure AD authentication is supported only when the share is mapped on a VM running on Azure and joined to Azure AD..." With that thread being about 1.5 years old, I was hoping for added compatibility with Azure Files to allow small businesses to use the SMB shares to remove complexities of managing an IT environment (Active Directory on a file server). If you're saying that's not the case, then probably the screenshots won't be of much good, but hopefully that's just old information.

    Nonetheless, the thread also mentioned the requirement of changing a password. I don't know if this is applicable on Azure AD DS or just on-prem AD, but I changed the password anyways. I waited 10m, then restarted the Windows 10 PC and logged in with new password, connected to the VPN, and received the same errors.

    Azure-AD Joined:

    120874-image.png

    AD-Identity Configured:

    120911-image.png

    Storage Account Contributor:

    120828-image.png

    Share Permissions:

    120780-image.png

    File Permissions: (when using storage key)

    120847-image.png

    Errors: (when using Azure AD user)

    120901-image.png

    So possibly: my Azure AD-joined Windows 10 device, VPN'd into Azure connected to my vNet with connectivity to both AADDS and the storage file share, just like an Azure VM would be, is not compatible because I didn't host the device inside of the Azure network, but chose to VPN in.

    Any other specific ideas?


  3. TXS-DEV 1 Reputation point
    2021-11-30T07:45:00.567+00:00

    I'm running into similar issues as OP - what was the fix? Is there a fix? I'm frustrated that it takes so much setup to get this going.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.