Update 1The article is currently being revised and in the next two weeks some improvements will be integrated.
In the past I had a lot of talks about Azure File Sync, a lightwight solutions to sync servers from different locations and branches via Azure Files. One often questions was, it is possible to use Azure Files directly with the integrated Active Directory authentication – The great answer since a few days is Yes, this is possible.
Now you can use Azure Files with On-Prem Active Directory authentication as a fully replacement for Fileservers. No need for Azure Active Directory Domain Services (Azure AD ADDS) or different settings on Azure Files. This gives great new ways to using Azure Files for Fileshares and to use Azure Files directly for WVD and coming closer to a cloud native solution or to a fully replacement for On-Prem Fileserver.
In this article I will explain how to configure AD authentication for Azure Files and list information about region availability some basic steps and more. Please feel free to use the comment section or Twitter to get in touch with me and gives me feedback about the article and the solution.
Right now the service is in public preview and since end of March the service is now available in all Azure regions.
To use Active Directory authentication for Azure Fileshares, there are some requirements:
- Existing Active Directory Domain Service (AD DS) on a Windows Server (doesn´t mean Azure AD DS)
- Identities used for access must be synced via Azure AD Connect to Azure AD
- Azure AD Tenant and the file share must be associate with the same subscription
- VM must be joined in the existing AD DS
- Use a region near by the VM from which you will access the Azure Fileshare (for best performance and lowest latency)
- Is only supported on machines newer then Windows 7 / WS2008R2 (EoL)
- Azure Files PowerShell Modul
- Needs Az module 2.0.0+ and Az.Storage 1.8.2-preview+
- The Client must be domainjoined to use the module
- The account must have permissions to create computer accounts or service accounts in the domain/OU
Keep in mind, it`s only possible to use one authentication provider for a Azure Fileshare – Azure AD Domain Services (Azure AD DS) or Active Directory (AD).
- Use separate Storage Accounts for Azure Fileshare AD authentication
- Create an own OU for Azure Fileshare AD authentication
For best practice it is useful to use separate Storage Accounts for Azure File AD authentication, because with activation the Fileshare will be a member of the the domain (this means in general the Storage Account join the domain).
Each Domain uses GPO to enable settings for each OU in the Domain. To avoid issues for Storage Accounts that will be member of the Domain, I recommend to create and use an separate OU for the Storage Accounts.
To use Azure Files with integrated SMB authentication, there are additional Powershell modules needed. This module are available for download at Azure Samples GitHub Page. Please use the latest one.
For a better management and separation, create a new OU for Storage Accounts.
Enable Azure Files for AD authentication
To enable Azure Files for AD authentication there are some steps needed.
- Unzip the downloadad Zip Archiv AzFilesHybrid.zip
- [Optional] Create an OU for the Storage Accounts
- Create a (separate) Storage Account in Azure
- Create a Azure file share in the Storage Account
- Start a evalated PowerShell Session with rights to create computer and service accounts in the domain on a domain member client
- Run the following powershell commands
- green = optional
- red = important
#Change the execution policy to unblock importing AzFilesHybrid.psm1 module
Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Scope Currentuser
#Navigate to where AzFilesHybrid is unzipped and stored and run to copy the files into your path .\CopyToPSPath.ps1
#Import AzFilesHybrid module
Import-Module -name AzFilesHybrid
#Login with an Azure AD credential that has either storage account owner or contributer RBAC assignment
#Select the target subscription for the current session Select-AzSubscription -SubscriptionId "<your-subscription-id-here>"
#Register the target storage account with your active directory environment under the target OU
join-AzStorageAccountForAuth -ResourceGroupName "<resource-group-name-here>" -Name "<storage-account-name-here>" -DomainAccountType "<ServiceLogonAccount|ComputerAccount>" -OrganizationUnitName "<ou-name-here>"
Here are an short code example:
join-AzStorageAccountForAuth -ResourceGroupName "Storage_rg" -Name "azfilesadauthsa" -DomainAccountType "ComputerAccount" -OrganizationalUnitName "AzFileShares"
When using the correct permissions the storage account will join the domain as an Computerobject|Serviceobject and the following message will shown.
Keep an eye on the OU that are indicated for joining and the result will be a new computer object with the name of the storage account.
With this steps the feature for AD authentication for Azure fileshares are enabled.
Now it´s useful to define the initial permissions from the Azure AD portal. This is explained in the article Why Azure AD RBAC roles are needed for Active Directory File share authentication.