Azure Files Authentication with Azure Active Directory Domain Services

Azure Files as of recent times supports authentication with Azure Active Directory Domain Services using identity-based authentication. Virtual Machines joined to Azure AD DS can authenticate to Azure Files using Azure AD credentials rather than the generic username/password Azure Files provides.

As a prerequisite, you will require an Azure Active Directory Domain Services (Azure AD DS) instance setup and Virtual Machine joined to this domain. I have blogged on how to do this here

Creating Azure File Share

Azure File Shares are created within a Storage Account.

In this example, my Storage Account will be: tamopsfileshare

Creating Storage Account as below

Storage account name: tamopsfileshare
Location: eastus2
Performance: Standard (No need for premium for an example and/or normal throughput)
Account Kind: StorageV2 is required for AzureFiles
Replication: LRS
Access tier: Hot (Rarely cold unless its a type of backup)

The rest of the Storage Account creation I kept as standard.

Once Storage Account has been created, time to create an Azure File Share

Select the Storage Account and select Files

Select + File Share

Enter File Share Name & Quota you require

Now the File Share will be created

Azure AD DS Authentication

Before Azure AD DS authentication can be configured, identity based authentication needs to be configured as below, this is Configuration within the Storage Account created above.

Enabling this, allows IAM type access for the File Shares within the Storage Account

Three build-in roles for Azure Files Access

  • Storage File Data SMB Share Reader allows read access in Azure Storage file shares over SMB.
  • Storage File Data SMB Share Contributor allows read, write, and delete access in Azure Storage file shares over SMB.
  • Storage File Data SMB Share Elevated Contributor allows read, write, delete and modify NTFS permissions in Azure Storage file shares over SMB.

For this example, I have added group AAD DC Administrators as Storage File Data SMB Share Contributor 

Test Access from a Virtual Machine domain joined within the configured Azure AD DS

Enter Username/Password for an Azure AD User in group AAD DC Administrators

Added folder test_folder within Windows VM, lets review Portal

Have successfully configured Azure Files Authentication with Azure Active Directory Domain Services !

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: