If you use Azure Files, you are probably already aware you could configure Active Directory Kerberos authentication to manage files (and folders) permissions (see https://docs.microsoft.com/en-us/azure/storage/files/storage-files-active-directory-overview/).
This involved deploying Azure Active Directory Services or having access to Active Directory domain controllers.
Well, good news, it is now becoming easier thanks to the new Azure AD Kerberos authentication on Azure Files; meaning identities in Azure AD can mount and access Azure file shares without the need for line-of-sight to an Active Directory domain controller.
This new capability for Azure Files is going to simplify deployments like Azure Virtual Desktop with FSLogix support for example.
NOTE all supported authentication methods support only hybrid identities; cloud only identities are still not supported.
Prerequisites
The Azure AD Kerberos functionality for hybrid identities is only available on the following operating systems:
- Windows 11 Enterprise single or multi-session
- Windows 10 Enterprise single or multi-session, versions 2004 or later with the latest cumulative updates installed, especially the KB5007253 – 2021-11 Cumulative Update Preview for Windows 10
- Windows Server, version 2022 with the latest cumulative updates installed, especially the KB5007254 – 2021-11 Cumulative Update Preview for Microsoft server operating system version 21H2
Azure AD Kerberos authentication for Azure Files is available in all Azure regions.
To implement this new authentication method on Azure Files, connect to your Azure portal (https://portal.azure.com/) to access your storage account hosting Azure Files to access the File Share Active Directory setting
Now, in addition of the previous methods, you now have the option Azure AD Kerberos.
If you want to be able to use Windows Explorer to set files and folders permissions you will need to provide:
- The domain name (DNS name)
- The domain GUID (use the Get-ADDomain PowerShell command)
Sample command to get both:
$domainInformation = Get-ADDomain
$domainInformation.ObjectGUID.ToString()
$domainInformation.DnsRoot
Once enabled you will have to grant admin consent on the service principal on Azure AD.
Connect to your Azure AD portal (https://aad.portal.azure.com/) or Entra portal (https://entra.microsoft.com) to access the App registration blade to search for the service principal ([Storage Account] <your storage account>.file.core.windows.net) created for your Storage Account (you will have to switch the view list to All applications)
Then access the API Permissions blade to add and grant permissions by clicking on Grant admin consent for
No additional permissions are required
Final step before you are ready to use Azure AD Kerberos authentication on your Azure Files is to disable MFA to access the storage account using Conditional Access.
If you don’t disable MFA, users will not be able to access the file share as SMB does not understand multi-factor authentication
Great article, thanks for posting. One question though – how can you connect to these files from on-prem servers that are domain joined and so nothing to do with Azure AD. Presumably the only way is to use the storage key?
The idea is not to use storage key; to authenticate with Kerberos from on-premises servers, you need to have the server object being synchronized to AAD
Thanks for the reply, but the objects are already being synchronized to AAD, but any on-prem servers or pc’s can’t connect