Thomas Thornton

Microsoft Azure Blog – Microsoft MVP

Azure Files Authentication with Azure Active Directory Domain Services

on by 1 Comment

Azure Files as of recent times supports authentication with Azure Active Directory Domain Services using identity-based authentication. Virtual Machines joined to Azure AD DS can authenticate to Azure Files using Azure AD credentials rather than the generic username/password Azure Files provides.

As a prerequisite, you will require an Azure Active Directory Domain Services (Azure AD DS) instance setup and Virtual Machine joined to this domain. I have blogged on how to do this here

Creating Azure File Share

Azure File Shares are created within a Storage Account.

In this example, my Storage Account will be: tamopsfileshare

Creating Storage Account as below

Storage account name: tamopsfileshare
Location: eastus2
Performance: Standard (No need for premium for an example and/or normal throughput)
Account Kind: StorageV2 is required for AzureFiles
Replication: LRS
Access tier: Hot (Rarely cold unless its a type of backup)

The rest of the Storage Account creation I kept as standard.

Once Storage Account has been created, time to create an Azure File Share

Select the Storage Account and select Files

Select + File Share

Enter File Share Name & Quota you require

Now the File Share will be created

Azure AD DS Authentication

Before Azure AD DS authentication can be configured, identity based authentication needs to be configured as below, this is Configuration within the Storage Account created above.

Enabling this, allows IAM type access for the File Shares within the Storage Account

Three build-in roles for Azure Files Access

  • Storage File Data SMB Share Reader allows read access in Azure Storage file shares over SMB.
  • Storage File Data SMB Share Contributor allows read, write, and delete access in Azure Storage file shares over SMB.
  • Storage File Data SMB Share Elevated Contributor allows read, write, delete and modify NTFS permissions in Azure Storage file shares over SMB.

For this example, I have added group AAD DC Administrators as Storage File Data SMB Share Contributor 

Test Access from a Virtual Machine domain joined within the configured Azure AD DS

Enter Username/Password for an Azure AD User in group AAD DC Administrators

Added folder test_folder within Windows VM, lets review Portal

Have successfully configured Azure Files Authentication with Azure Active Directory Domain Services !

1 comment

  1. Hello

    It doesn’t work like you are explaining because in my case it doesn’t authenticate the Azure AD credentials to map the network drive.

    i’ll look forward for your response and help

    Thanks
    Dan

    Reply

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s