Azure Files as of recent times supports authentication with Azure Active Directory Domain Services using identity-based authentication. Virtual Machines joined to Azure AD DS can authenticate to Azure Files using Azure AD credentials rather than the generic username/password Azure Files provides.
As a prerequisite, you will require an Azure Active Directory Domain Services (Azure AD DS) instance setup and Virtual Machine joined to this domain. I have blogged on how to do this here
Creating Azure File Share
Azure File Shares are created within a Storage Account.
In this example, my Storage Account will be: tamopsfileshare
Creating Storage Account as below
Storage account name: tamopsfileshare
Performance: Standard (No need for premium for an example and/or normal throughput)
Account Kind: StorageV2 is required for AzureFiles
Access tier: Hot (Rarely cold unless its a type of backup)
The rest of the Storage Account creation I kept as standard.
Once Storage Account has been created, time to create an Azure File Share
Select the Storage Account and select Files
Select + File Share
Enter File Share Name & Quota you require
Now the File Share will be created
Azure AD DS Authentication
Before Azure AD DS authentication can be configured, identity based authentication needs to be configured as below, this is Configuration within the Storage Account created above.
Enabling this, allows IAM type access for the File Shares within the Storage Account
Three build-in roles for Azure Files Access
- Storage File Data SMB Share Reader allows read access in Azure Storage file shares over SMB.
- Storage File Data SMB Share Contributor allows read, write, and delete access in Azure Storage file shares over SMB.
- Storage File Data SMB Share Elevated Contributor allows read, write, delete and modify NTFS permissions in Azure Storage file shares over SMB.
For this example, I have added group AAD DC Administrators as Storage File Data SMB Share Contributor
Test Access from a Virtual Machine domain joined within the configured Azure AD DS
Enter Username/Password for an Azure AD User in group AAD DC Administrators
Added folder test_folder within Windows VM, lets review Portal
Have successfully configured Azure Files Authentication with Azure Active Directory Domain Services !