This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(131.20000000000002, 25%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJF%3C/text%3E%3C/svg%3E)
We want to abandon on-prem AD services.
The critical question is:
Can I switch from on-prem AD to Azure ADDS for the Azure File Services while retaining permissions?
Scenario:
On-prem Domain Name: company.com
Azure AD Tenant Name: company.onmicrosoft.com
VPN Connection from on-prem to Azure File
Azure Files are currentliy in the AD hybrid join mode.
(Azure Blob Storage wasn't a choice, including Azure Data Lake Storage Gen2)
All client devices are Azure AD jointen using Intune.
No servers/services On-prem that are AD-dependent, with the exception of Azure Files Services.
Plan:
The next step is to get rid of the on-prem AD.
The plan is to remove the last Exchange Management Server and terminate the AD-Connect service to get cloud-only users and groups.
To continue granting access to Azure File Services, the idea is to build an Azure ADDS in parallel and turn on full replication of NTLM and Kerberos tickets on the Azure Connect side.
After migrating the files from on-prem, the authentication is to be switched from Active Directory to Azure Active Directory Domain Services. The hope is that the permissions do not need to be changed since the sid history is in Azure AD.
Has anyone already done this?
It is clear that users of Azure AD devices will still need a password to access Azure File Share, as no Kerberos protocol is available and they will need a network connection to the Azure ADDS environment, too.
We think to avoid any DNS confusion the Azure ADDS should be given a subdomain name.
Azure ADDS Managed Domain: cloud.company.com
An Azure service that offers file shares in the cloud.
Additional Microsoft Entra services and features related to identity, access, and network security
I understand that you want to authenticate your azure file through your Azure AD Domain Services, right?
Yes, but only in the 2nd step.
Authentication is currently done using Active Directory.
We want to stop it and change it to Azure Active Directory Domain Services.
Before we do a proof-of-concept, we want to hear about others' experiences and potential pitfalls.
Thank you for asking this question on the **Microsoft Q&A Platform. **
I understand that you want to authenticate your azure file through your Azure AD Domain Services, right?
The following documentation may help in your project: Enable Azure Active Directory Domain Services authentication on Azure Files
Hope this helps,
Carlos Solís Salazar
----------
Accept Answer and Upvote, if any of the above helped, this thread can help others in the community looking for remediation for similar issues.
NOTE: To answer you as quickly as possible, please mention me in your reply.