Share via

Authentication error when mounting Azure Files from Windows 11 hybrid‑joined device in cross‑tenant setup (Entra Kerberos)

SKS 0 Reputation points
2026-03-30T19:20:13.3633333+00:00

I am facing an authentication issue while trying to mount an Azure Files share from a Windows 11 hybrid‑joined device. Below is the environment and configuration:

Environment Details

Azure Files storage account and file shares

  • Located in Tenant A
    • Azure Files authentication is configured to use Microsoft Entra Kerberos
      • Users accessing the file share are hybrid users and belong to Tenant A
      User identity 
          - Users are **hybrid identities** (on‑prem AD synced to Entra ID)
    
    
       - Users exist in **Tenant A**
    
       
       **Client devices**
    
       
          - Windows 11 machines are associated with **Tenant B**
    
          
             - Devices are:
    
             
                   - **Domain‑joined** to the same on‑prem Active Directory domain as the users
    
                   
                         - **Microsoft Entra ID joined** to **Tenant B** (hybrid join scenario across tenants)
    ```#### **Issue**

When users sign in to the Windows 11 devices and attempt to mount the Azure Files share (SMB), the connection fails with an authentication error.

Question

Is this cross‑tenant scenario supported when using Azure Files with Entra Kerberos authentication, where:

  • Azure Files and users are in Tenant A
  • Client Windows 11 devices are Entra‑joined to Tenant B but domain‑joined to the same AD domain as the users

If this is not supported, what is the recommended authentication model or configuration for this scenario?

Azure Files
Azure Files

An Azure service that offers file shares in the cloud.

0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Vallepu Venkateswarlu 6,995 Reputation points Microsoft External Staff Moderator
    2026-03-30T19:42:48.2266667+00:00

    HI @ SKS,

    Welcome to Microsoft Q&A Platform

    It looks like you’re running into a limitation: Microsoft Entra Kerberos for Azure Files requires the client’s Entra join and the storage account’s Kerberos SPN to live in the same Entra tenant. In your scenario the VMs are hybrid-joined to Tenant B while the storage account (and synced users) live in Tenant A, so Kerberos tickets can’t be issued for the SPN in Tenant A and authentication fails.

    This cross-tenant hybrid-join scenario isn’t supported today. You have a few options:

    Note: This feature currently doesn't support cross-tenant access for B2B users or guest users. Users from an Entra tenant other than the one configured won't be able to access the file share.

    Keep using Microsoft Entra Kerberos:

    • Re-hybrid-join your Windows 11 clients to Tenant A (so they and the SPN live together).
    • Switch to on-prem AD DS authentication for Azure Files
    • Configure your storage account to use on-premises AD DS authentication (no Entra Kerberos). Your domain-joined Windows machines will then authenticate directly against your on-prem KDC. This is a supported, cross-tenant-agnostic model.
    • Use Azure AD OAuth (token-based) access for Azure Files shares
    • If rejoining or on-prem AD DS isn’t possible, consider mounting via Azure AD tokens (StorageFileData SMB Share roles) instead of Kerberos.

    Here are some quick checks you can run on your current setup (to rule out other misconfigurations):

    • Ensure TCP port 445 is open outbound from the client to Azure Files.
    • Make sure the CloudKerberosTicketRetrievalEnabled registry key (or GPO/Intune policy) is set on your Windows clients
    • Run the Debug-AzStorageAccountAuth cmdlet against your storage account (from a user in Tenant A) to see which checks fail.
    • Verify that the storage account’s SPN (in Tenant A) is properly configured and that any required admin consent has been granted.

    Reference list

    Please210246-screenshot-2021-12-10-121802.pngand “up-vote” wherever the information provided helps you, **this can be beneficial to other community members.**ll.

    1 person found this answer helpful.

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.