Azure AD joined machines and Azure AD DS integrated file share

Bhushan Gawale 301 Reputation points
2022-08-23T14:34:56.6+00:00

Hey everyone,

We have a scenario where users wish to mount a Azure file share as a network drive using their Azure AD credentials on their machines that are Azure AD linked.

Because Azure file share supports integration with domain controllers, we have provisioned Azure Active Directory Domain Controller Services for the same Azure AD where user's workstations are connected and with this, we were hoping that workstations would be able to mount file shares using their Azure AD creds but it does not seem to be the case and rightly so, because workstations cannot find the Azure managed domain controllers.

Is there any workaround for this or the only option would be to join user machines to newly provisioned Azure AD DS?
Even for this, either site to site or point to site VPN connectivity needs to be established so that AADDCS could be reached from user / org network.

Thanks in advance.

Azure Files
Azure Files
An Azure service that offers file shares in the cloud.
1,156 questions
Microsoft Entra
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,397 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. JimmySalian-2011 41,916 Reputation points
    2022-08-23T15:27:12.983+00:00

    Hi @Bhushan Gawale ,

    Thank you for asking this question on the Microsoft Q&A Platform.

    There is no workaround for this and this is the limitation of AD DS, the Computer objects for computers joined to an on-premises AD DS environment aren't synchronized to Azure AD DS. These computers don't have a trust relationship with the managed domain and only belong to the on-premises AD DS environment. In Azure AD DS, only computer objects for computers that have explicitly domain-joined to the managed domain are shown and configured with access to file shares or policies.

    ==
    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.


  2. JimmySalian-2011 41,916 Reputation points
    2022-08-24T09:34:06.827+00:00

    Hi @Bhushan Gawale ,

    Apologies I assumed it is Onprem AD, I think the only way to acheive your requirements is to domain join the VM to ADDS and AFAIK an Azure AD-joined or registered device and user authentication happens using modern OAuth / OpenID Connect based protocols. These protocols are designed to work over the internet, so are great for mobile scenarios where users access corporate resources from anywhere.

    With Azure AD DS-joined devices, applications can use the Kerberos and NTLM protocols for authentication, so can support legacy applications migrated to run on Azure VMs as part of a lift-and-shift strategy, hence I will suggest you try with a ADDS joined VM and validate your scenario.

    ==
    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments No comments