Share via

IdP for NTFS for Azure Cloud and AD

Richard Duane Wolford Jr 231 Reputation points
2026-03-16T14:42:24.93+00:00

We have Azure cloud-only users and also an on-prem domain. We need to set up authentication for Azure files that allows us to use NTFS for both cloud and on-prem/hybrid users at the same time. Do we have to use Entra ID Domain services?

Azure Files
Azure Files

An Azure service that offers file shares in the cloud.

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Vallepu Venkateswarlu 7,630 Reputation points Microsoft External Staff Moderator
    2026-03-16T16:24:33.49+00:00

    Hi @ Richard Duane Wolford Jr,

    Welcome to Microsoft Q&A Platform

    If you need NTFS‐backed Azure Files access for both your on-prem/hybrid identities and pure cloud-only users, you can’t solve that with just an on-prem AD DS join alone (because your cloud-only users don’t exist in your on-prem AD).

    • Cloud-only identities are created and managed only in Microsoft Entra ID.
    • Hybrid identities are on-premises Active Directory Domain Services (AD DS) identities that are synced to Microsoft Entra ID by using either Microsoft Entra Connect Sync or Microsoft Entra Cloud Sync.

    Here are your two main options:

    Microsoft Entra Kerberos (preview): Enable Microsoft Entra Kerberos authentication for hybrid and cloud-only identities (preview) on Azure Files

    • This is Azure AD’s Kerberos service that issues tickets for both hybrid-joined and purely cloud-only Azure AD users.
      • Clients use standard SMB/Kerberos to authenticate to Azure Files without ever touching your on-prem DCs.
        • You still assign share-level RBAC (e.g. Storage File Data SMB Share Contributor) in Azure and then apply NTFS ACLs on the folders.

    Microsoft Entra Domain Services (managed AD)

    • Spins up a managed AD domain in Azure that’s automatically populated by your Azure AD (including both synced on-prem objects and cloud-only users).
    • You domain-join the storage account to that Azure AD DS domain exactly like you would to on-prem AD. Hybrid and cloud-only users can then authenticate via Kerberos.
      • You still need share-level RBAC + NTFS permissions as usual.

    Ref: Enable Active Directory Domain Services authentication for Azure file shares

    Cloud-only identities are supported for authentication and share-level (RBAC) access, but they are not supported for NTFS (file/folder-level) permissions.

    Microsoft Entra Kerberos removes the requirement for a domain controller for authentication (sign-in) to Azure file shares. However, NTFS permissions (Windows ACLs) still rely on domain-based security identifiers (SIDs).

    Therefore, while cloud-only users can authenticate without a domain controller, configuring or enforcing file/folder-level permissions still requires a domain environment such as AD DS or Azure AD DS.

    Ref: https://learn.microsoft.com/en-us/azure/storage/files/storage-files-identity-configure-file-level-permissions#how-azure-rbac-and-windows-acls-work-together

    Please210246-screenshot-2021-12-10-121802.pngand “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.