Cannot access file share from hybrid user accounts

Robert Harvey 1 Reputation point
2022-09-02T10:59:42.43+00:00

Hi we're in process of trying to set up an AVD environment where users connect to VMs with AAD credentials, with profiles provided by FSlogix. Everything is in place and we've followed the MS guide and subguides: https://learn.microsoft.com/en-us/azure/virtual-desktop/deploy-azure-ad-joined-vm. We can map the share fine using the storage account key, but when we try to access it with our AAD credentials we receive a generic incorrect username or password error. All the user we're trying to connect with are hybrid users identities imported from AD to AAD.

Things we've done / tried:

  • Created storage account v2 in UK South, default settings for everything
  • Created generic 'profiles' file share, default settings for everything
  • Configured Azure AD Kerberos on the storage account, added in the optional domain name and GUID
  • Given the service principal admin consent in the API permissions section
  • There is no MFA policy applied, but we've disabled AAD security defaults
  • Assigned Storage File Data SMB Share Contributor to relevant users, also tried Elevated Contributor
  • Mapped the drive with net-use with the storage key and given relevant users full permissions to the file share, on separate attempts we've also done the same with icacls
  • Setup and confirmed that port 445 is unblocked
  • The machines we're using for testing with exist in AD in an OU where no GPOs are applied
  • We've also done all the setup for fslogix, but we can't get that far yet.

As far as we can tell, we haven't missed anything and our setup should support this configuration, any advice would be greatly appreciated.

Azure Files
Azure Files
An Azure service that offers file shares in the cloud.
1,163 questions
Azure Storage Accounts
Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
2,687 questions
Microsoft Entra
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,468 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Carlos Solís Salazar 16,531 Reputation points
    2022-09-02T13:27:26.22+00:00

    Hi @Robert Harvey

    Thank you for asking this question on the **Microsoft Q&A Platform. **

    Try the following idea: Mount the file share using the PowerShell script recommended. Use as Authentication Method: Active Directory.

    Hope this helps,

    ----------

    Accept Answer and Upvote, if any of the above helped, this thread can help others in the community looking for remediation for similar issues.
    NOTE: To answer you as quickly as possible, please mention me in your reply.

  2. rafalzak 3,216 Reputation points
    2022-09-07T09:45:01.59+00:00

    Please look into point: Configure the clients to retrieve Kerberos tickets
    https://learn.microsoft.com/en-us/azure/storage/files/storage-files-identity-auth-azure-active-directory-enable