Azure AD and AD DS Custom/Managed Domains

Question

Hi,

We're in the process of moving everything to Azure, and started off using a M365 Business Premium subscription for our users.
Our Windows 10 Devices are now managed by Intune. Our users login using username@mathieu.company .com. This custom domain has been verified and is working as expected.

The next step would be to migrate our on-premise files to Azure Files. Authenticating our users with their M365 accounts against Azure Files requires AD DS.
I've now deployed AD DS with the following managed domain name: cloud.company.com.

From what I understood, since the domain name company.com is already in use by Azure AD, I cannot reuse company.com as the managed domain name for AD DS. I would prefer to reuse company.com as the managed domain name for AD DS, but I'm unsure how our users would authenticate when accessing the files shares. Do they need to use username@Gunjan .company.com or can they keep using username@mathieu.company .com (even when the AD DS managed domain is set to cloud.company.com)?

If we need to keep using cloud.company.com, do I need to verify this domain and make it internet routable? If so, which DNS record types should be added?

Thanks, and regards,

Grant

Answer 1

@Not So Magical Firstly, apologies for the delay in responding here and any inconvenience this issue may have caused. I am from Azure Storage Team, Let me explain Azure Files Storage part how it works on ADDS.

Azure Files supports identity-based authentication over Server Message Block (SMB) through two types of Domain Services: on-premises Active Directory Domain Services (AD DS) and Azure Active Directory Domain Services (Azure AD DS). We strongly recommend you to review the How it works section to select the right domain service for authentication. The setup is different depending on the domain service you choose. These series of articles focus on enabling and configuring on-premises AD DS for authentication with Azure file shares.

If you are new to Azure file shares, we recommend reading our planning guide before reading the following series of articles.

Supported scenarios and restrictions

Before you enable AD DS authentication for Azure file shares, make sure you have completed the following prerequisites

• For Azure AD DS authentication, you should enable Azure AD Domain Services and domain join the VMs you plan to access file data from. Your domain-joined VM must reside in the same virtual network (VNET) as your Azure AD DS.
• To access Azure Files resources with identity based authentication, an identity (a user, group, or service principal) must have the necessary permissions at the share level. This process is similar to specifying Windows share permissions, where you specify the type of access that a particular user has to a file share. The guidance in this section demonstrates how to assign read, write, or delete permissions for a file share to an identity.
  https://learn.microsoft.com/en-us/azure/storage/files/storage-files-identity-auth-active-directory-domain-service-enable?tabs=azure-portal#assign-access-permissions-to-an-identity

This is distinctly discussing Azure files not ADDS or Azure ADDS authentication for Azure files.

Azure ADDS and ADDS authentication specifically have different requirements and prerequisites.

Domain-join an on-premises machine or an Azure VM to on-premises AD DS. For information about how to domain-join, refer to Join a Computer to a Domain.

To use ADDS you need to domain join the vm - or have line of sight to the DC (to use ADDS Authentication for Azure files - you need to domain join the vm - or have line of sight to the DC. If you aren't using ADDS - you don't need to be on a domain joined VM and can map the drive with storage account/key but will be like a super user)

If your machine is not domain joined to an AD DS, you may still be able to leverage AD credentials for authentication if your machine has line of sight of the AD domain controller.

• You can enable the feature on a new or existing on-premises AD DS environment. Identities used for access must be synced to Azure AD. The Azure AD tenant and the file share that you are accessing must be associated with the same subscription.

Domain-join an on-premises machine or an Azure VM to on-premises AD DS. We strongly recommend you to review the How it works section to select the right domain service for authentication.

• If the subscription under which the file share is deployed is associated with the same Azure AD tenant as the Azure AD DS deployment to which the VM is domain-joined, you can then access Azure file shares using the same Azure AD credentials. The limitation is imposed not on the subscription but on the associated Azure AD tenant.
• Azure Files on-premises AD DS authentication only integrates with the forest of the domain service that the storage account is registered to. To support authentication from another forest, your environment must have a forest trust configured correctly. The way Azure Files register in AD DS almost the same as a regular file server, where it creates an identity (computer or service logon account) in AD DS for authentication. The only difference is that the registered SPN of the storage account ends with "file.core.windows.net" which does not match with the domain suffix. Consult your domain administrator to see if any update to your suffix routing policy is required to enable multiple forest authentication due to the different domain suffix. We provide an example below to configure suffix routing policy.

To learn how to enable Azure AD DS authentication for Azure file shares, see Enable Azure Active Directory Domain Services authentication on Azure Files.

• Azure AD DS provides managed domain services such as domain join, group policies, LDAP, and Kerberos/NTLM authentication. These services are fully compatible with Active Directory Domain Services. For more information, see Azure Active Directory Domain Services.
• When you enable AD DS for Azure file shares over SMB, your AD DS-joined machines can mount Azure file shares using your existing AD DS credentials. This capability can be enabled with an AD DS environment hosted either in on-prem machines or hosted in Azure.

To help you setup Azure Files AD authentication for some common use cases, we published two videos with step by step guidance for the following scenarios:

To use the AD credential for authentication, you need to make sure that the AD credential is synced to Azure AD, and that Azure AD is fully synced to Azure AD DS. If not, AAD DS will not be able to perform authentication against an AD credential. Please check the sync status

enable AD DS authentication for your Azure file shares

Kindly let us know if you still have more questions on this. I wish to engage with you offline for a closer look and provide a quick and specialized assistance, I will follow-up with you.

Thanks for your patience and co-operation.

Hope this helps!

Kindly let us know if the above helps or you need further assistance on this issue.

-------------------------------------------------------------------------------------------------------------------------------------------------

Please do not forget to and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.