Enable Azure Active Directory Kerberos authentication for hybrid identities on Azure Files
This article focuses on enabling and configuring Azure Active Directory (Azure AD) for authenticating hybrid user identities, which are on-premises AD DS identities that are synced to Azure AD. This allows Azure AD users to access Azure file shares using Kerberos authentication. This configuration uses Azure AD to issue the necessary Kerberos tickets to access the file share with the SMB protocol. This means your end users can access Azure file shares over the internet without requiring a line-of-sight to domain controllers from hybrid Azure AD-joined and Azure AD-joined VMs. However, configuring Windows access control lists (ACLs)/directory and file-level permissions for a user or group requires line-of-sight to the on-premises domain controller.
For more information on supported options and considerations, see Overview of Azure Files identity-based authentication options for SMB access. For more information about Azure AD Kerberos, see Deep dive: How Azure AD Kerberos works.
You can only use one AD source for identity-based authentication with Azure Files. If Azure AD Kerberos authentication for hybrid identities doesn't fit your requirements, you can use on-premises Active Directory Domain Service (AD DS) or Azure Active Directory Domain Services (Azure AD DS) instead. The configuration steps are different for each method.
|File share type||SMB||NFS|
|Standard file shares (GPv2), LRS/ZRS|
|Standard file shares (GPv2), GRS/GZRS|
|Premium file shares (FileStorage), LRS/ZRS|
Before you enable Azure AD Kerberos authentication over SMB for Azure file shares, make sure you've completed the following prerequisites.
Your Azure storage account can't authenticate with both Azure AD and a second method like AD DS or Azure AD DS. If you've already chosen another AD source for your storage account, you must disable it before enabling Azure AD Kerberos.
The Azure AD Kerberos functionality for hybrid identities is only available on the following operating systems:
- Windows 11 Enterprise single or multi-session.
- Windows 10 Enterprise single or multi-session, versions 2004 or later with the latest cumulative updates installed, especially the KB5007253 - 2021-11 Cumulative Update Preview for Windows 10.
- Windows Server, version 2022 with the latest cumulative updates installed, especially the KB5007254 - 2021-11 Cumulative Update Preview for Microsoft server operating system version 21H2.
To learn how to create and configure a Windows VM and log in by using Azure AD-based authentication, see Log in to a Windows virtual machine in Azure by using Azure AD.
This feature doesn't currently support user accounts that you create and manage solely in Azure AD. User accounts must be hybrid user identities, which means you'll also need AD DS and either Azure AD Connect or Azure AD Connect cloud sync. You must create these accounts in Active Directory and sync them to Azure AD. To assign Azure Role-Based Access Control (RBAC) permissions for the Azure file share to a user group, you must create the group in Active Directory and sync it to Azure AD.
You must disable multi-factor authentication (MFA) on the Azure AD app representing the storage account.
Azure AD Kerberos authentication only supports using AES-256 encryption.
Azure Files authentication with Azure AD Kerberos is available in Azure public cloud in all Azure regions except China and Government clouds.
Enable Azure AD Kerberos authentication for hybrid user accounts
You can enable Azure AD Kerberos authentication on Azure Files for hybrid user accounts using the Azure portal, PowerShell, or Azure CLI.
To enable Azure AD Kerberos authentication using the Azure portal, follow these steps.
Sign in to the Azure portal and select the storage account you want to enable Azure AD Kerberos authentication for.
Under Data storage, select File shares.
Next to Active Directory, select the configuration status (for example, Not configured).
Under Azure AD Kerberos, select Set up.
Select the Azure AD Kerberos checkbox.
Optional: If you want to configure directory and file-level permissions through Windows File Explorer, then you also need to specify the domain name and domain GUID for your on-premises AD. You can get this information from your domain admin or by running the following Active Directory PowerShell cmdlets from an on-premises AD-joined client:
$domainInformation = Get-ADDomain $domainGuid = $domainInformation.ObjectGUID.ToString() $domainName = $domainInformation.DnsRoot
If you'd prefer to configure directory and file-level permissions using icacls, you can skip this step. However, if you want to use icacls, the client will need line-of-sight to the on-premises AD.
If you've previously enabled Azure AD Kerberos authentication through manual limited preview steps to store FSLogix profiles on Azure Files for Azure AD-joined VMs, the password for the storage account's service principal is set to expire every six months. Once the password expires, users won't be able to get Kerberos tickets to the file share. To mitigate this, see "Error - Service principal password has expired in Azure AD" under Potential errors when enabling Azure AD Kerberos authentication for hybrid users.
Grant admin consent to the new service principal
After enabling Azure AD Kerberos authentication, you'll need to explicitly grant admin consent to the new Azure AD application registered in your Azure AD tenant to complete your configuration. You can configure the API permissions from the Azure portal by following these steps:
Open Azure Active Directory.
Select App registrations on the left pane.
Select All Applications.
Select the application with the name matching [Storage Account] $storageAccountName.file.core.windows.net.
Select API permissions in the left pane.
Select Grant admin consent for "DirectoryName".
Select Yes to confirm.
Disable multi-factor authentication on the storage account
Azure AD Kerberos doesn't support using MFA to access Azure file shares configured with Azure AD Kerberos. You must exclude the Azure AD app representing your storage account from your MFA conditional access policies if they apply to all apps. The storage account app should have the same name as the storage account in the conditional access exclusion list.
If you don't exclude MFA policies from the storage account app, you won't be able to access the file share. Trying to map the file share using
net use will result in an error message that says "System error 1327: Account restrictions are preventing this user from signing in. For example: blank passwords aren't allowed, sign-in times are limited, or a policy restriction has been enforced."
Assign share-level permissions
When you enable identity-based access, you can set for each share which users and groups have access to that particular share. Once a user is allowed into a share, Windows ACLs (also called NTFS permissions) on individual files and directories take over. This allows for fine-grained control over permissions, similar to an SMB share on a Windows server.
To set share-level permissions, follow the instructions in Assign share-level permissions to an identity.
Configure directory and file-level permissions
Once share-level permissions are in place, you can assign directory/file-level permissions to the user or group. This requires using a device with line-of-sight to an on-premises AD. To use Windows File Explorer, the device also needs to be domain-joined.
There are two options for configuring directory and file-level permissions with Azure AD Kerberos authentication:
- Windows File Explorer: If you choose this option, then the client must be domain-joined to the on-premises AD.
- icacls utility: If you choose this option, then the client doesn't need to be domain-joined, but needs line-of-sight to the on-premises AD.
To configure directory and file-level permissions through Windows File Explorer, you also need to specify domain name and domain GUID for your on-premises AD. You can get this information from your domain admin or from an on-premises AD-joined client. If you prefer to configure using icacls, this step is not required.
To configure directory and file-level permissions, follow the instructions in Configure directory and file-level permissions over SMB.
Configure the clients to retrieve Kerberos tickets
Enable the Azure AD Kerberos functionality on the client machine(s) you want to mount/use Azure File shares from. You must do this on every client on which Azure Files will be used.
Use one of the following three methods:
- Configure this Intune Policy CSP and apply it to the client(s): Kerberos/CloudKerberosTicketRetrievalEnabled
- Configure this group policy on the client(s):
Administrative Templates\System\Kerberos\Allow retrieving the Azure AD Kerberos Ticket Granting Ticket during logon
- Create the following registry value on the client(s):
reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters /v CloudKerberosTicketRetrievalEnabled /t REG_DWORD /d 1
Changes are not instant, and require a policy refresh or a reboot to take effect.
Disable Azure AD authentication on your storage account
If you want to use another authentication method, you can disable Azure AD authentication on your storage account by using the Azure portal, Azure PowerShell, or Azure CLI.
Disabling this feature means that there will be no Active Directory configuration for file shares in your storage account until you enable one of the other Active Directory sources to reinstate your Active Directory configuration.
To disable Azure AD Kerberos authentication on your storage account by using the Azure portal, follow these steps.
- Sign in to the Azure portal and select the storage account you want to disable Azure AD Kerberos authentication for.
- Under Data storage, select File shares.
- Next to Active Directory, select the configuration status.
- Under Azure AD Kerberos, select Configure.
- Uncheck the Azure AD Kerberos checkbox.
- Select Save.
For more information, see these resources:
Submit and view feedback for