In this video I walk through the new AD integrated authentication for Azure Files shares enabling a seamless ACL experience for users via SMB with their regular Active Directory. Whiteboard overview then a demonstration. Awesome stuff!
Going through your list of videos about Azure one by one, really get knocked out by how great they are, many thanks, please keep the ball rolling for the sake of learners around the world.
@@markdoyle3252 The client using does yes to get the kerberos ticket. No you can't do without AD as its AD authentication. the storage account does NOT need line of sight.
@@NTFAQGuy Great thanks for getting back to me. And with AAD DS the client devices have to be joined to the AAD DS domain. So only option for users accessing azure file service from a remote location without vpn is using the access keys?
Its a fantastic feature. Now if only i could get it working for my environment. As my on premises active directory is sync'd to azure but all users log in to azure(windows 10 azure AD join) with a UPN enabled through domains and trusts. We require each user to give another credential for the primary domain to map drives to the file share. Surely logging in via a UPN should give you permission to the primary domain resource!! aggghh
Hi John. A little confused with this. Considering we have all users synced from different domains, should all users be able to authenticate to the file share that is domain joined to an Azure VM? Does the VM need to be domain joined to on-premise domain?
What I was really hoping to watch was how can u make the network share automatically point to the correct endpoint between an onprem file sync share and the serverless cloud endpoint seamlessly, like dfs does with namespaces. That would make azure files AMAZING
Great content! Will be watching more of your videos. Our laptops are Intune Azure AD joined but users are On Prem AD joined and synced to Azure AD. I would think this should work (as the user principal remains the same) but do you see gotchas? The machines never talk to the domain controllers (and are in fact, offsite).
No that won’t work as if they don’t talk to domain controllers then they won’t talk Kerberos. You would need to use the azure ad integrated option for integration. Good luck.
Hey John, thank-you for this video; it really helped me crack some issues that we were having with AD based permissions on Azure Files / get my head around how things fitted together. One question: do you know if Access Based Enumeration (i.e. the ability to hide content to which the user does not have access) exists in Azure Files? Thank-you in advance.
Thank you John, stoked the functionality has finally arrived to use on-prem AD! Interested to know how old your Pluralsight training for AZ-103 is & if it's still relevant for studying towards Az-104? According to Pluralsight's website it was updated June 23 2020 which doesn't make sense as this update on RU-vid is from Feb.
Great video, thank you John! I have a question though. The best practice for on-prem file shares was to grant Everyone the Full Control access at the "Share" level and then use ACLs at the Folder/File level to secure your share. This way you only need to worry about 1 set of permissions. Can we still do something similar with this integration? Or will I have to manage 2 sets of permissions (Azure RBAC roles, and ACLs for Folders/Files)?
@@NTFAQGuy Thanks. So would I just assign everyone the SMB Elevated Contributor role in RBAC, would that be the same as the old "Full Control" share permission? One area where I'm getting hung up is the root folder NTFS permissions. Am I able to change that with an Azure File Share? For instance, assign NTFS read-only permissions at the root folder level, to stop people from creating top-level folders.
BazookaMan3 Right, that would be equivalent to the full control on the share. Read docs.microsoft.com/en-us/azure/storage/files/storage-files-identity-auth-active-directory-enable which goes through the root permissions.
Hi John, great video. Can an on-premise enduser connect SMB3.0 over the internet to the pubic endpoint of the Azure file share or does it require a private endpoint with express route/VPN? Thanks
@@NTFAQGuy yes :) let us see if customers will adopt it, USA region could be more cooperative. As you know the UK is quite conservative when it comes to anything new.... "don't touch it if works" :) :) :) one of the everyday conversation I have with my Boss, nightmare
Hi John, im a bit stuck on a POC deployment for a customer here. Hope you can help me with it. I setup an ADDS with AD Connect on it for the AD Auth. Created a Storage account with a File Share on it, enabled AD Auth on the correct way. Synced some Security Groups so I can decide the Share-level permissions through RBAC. So all of the above worked correctly and I can map the file share as network drive on domain joined laptops etc. I mapped the File share with super user permissions on my test AD and tried to modify the NTFS rights to get it how we wish. So I made a user a member of the SMB Contributor group, and I made a Security Group in AD called ReadOnly where I also made the same user a member. I put the ReadOnly security group on a map in the share, so I expected the user I just made member of the SG & SMB Contributor group that the most restricted permissions would win. But they actually don't, the user can still edit everything. Is there something that I missed maybe?
In ARM the permissions are cumulative. If you give someone read and then in another assignment give them write they will have write. If you are saying on a folder on NTFS directly you set the user with read-only permissions then yes in that folder they should only be able to read if its setup correctly.
Great video as always John. Can i confirm, for customers with cloud only solutions (using Azure AD for identities) does this mean we would have to set up Azure ADDS (i.e we could use the Azure AD already in place)?
@@NTFAQGuy Many thanks John. I think this is where my confusion lye, all the MS documents point towards having to have AADDS for the tenant (or On-Prem ADDS). I cant find anything that states/shows how you achieve ACLs on a file share with Azure AD.
Sorry. I didn’t put the comment with the video :) ok, if you want azure files acls then yes you either need aadds or regular adds, sorry. There are two flavors available. If you don’t have adds today then aadds would be the way to go.
When a search a mounted share, where does the search happen? if your local site goes down does the authentication still happen across azure for remote users?
When you use net use to connect to the share in this instance do you need to authenticate with your AD account or with the storage account key like you do natively?
Can an Azure file share be a DFS target? I know azure file sync is an option but I was wondering if we could point the dfs link directly to the azure share.
Hi John, great video! setup File Share and added to File Sync with on-prem, however files/folder created directly on Storage Account does not sync to on-prem share. is this normal? is it possible to have a two-way sync? any advise is highly appreciated. thank you again.
Hello John, thanks for great video !, I have File servers & AD DS in onpremise , and would like to migrate some file servers into the Azure Files. Will be enough to extend AD DS into Azure with installing IaaS VM DC (and replicating with onprem DCs) + use trick with computer account as you described ? I am asking whether really need to configure AAD Connect and synchronize object from AD DS to AAD. What we will loose if there will be no AD Connect?
Hi John, Is there an option I'm missing where we can authenticate to the share using SMB and just AAD. I.e we don't have AADDS or on-premises domain controllers. For example say I just have an AAD registered device (not domain joined) and a AAD User cloud only account. Could that user and device mount the share without needing to use the access keys?
Hi John. Thanks for great video but can you clarify something for me please. If we are using File Sync Replication to azure and we want to use replicated enforced ACLS in azure from on premise (go serverless) in a scenario when on premise is not available do we need to replicate all groups that are in relation to ACLS to cloud (locally users are added to groups and base on that they have access to certain folders) or user accounts with password synchronisation is enough. Is this local computer account is needed if there is a password hash synchronisation enabled ? What we want to have is replication of local shares to cloud and be able to access those shares with same ACLS and not interrupted authentication to all subdirectories in DR scenario when On premise will not be available.
@@NTFAQGuy So ACLS are only enforced when on premise are available O_o ? I thought that they are replicated and when you have password hash replication for users that are synchronised with maybe group synchronisation so Azure AD would take control Authentication and Authorisation to shares and local AD is not taking any part. So i'm still depended on on premise if want to use same ACLS in short ? There is no way to do replica via Azure file sync and access without disruption mapping to cloud when on premise will be offlice with same ACLS working ?
@@NTFAQGuy I'm trying right now to map resource that was replicated to Azure File Shares (storage account) via Azure File Sync to a computer added to local ad with ACL enforcement from ADDS. I want to be able to map those resources with ACL enforcement but not rely on local on prem authentication. This is for DR scenario. I deployed Azure Active Directory Domain Services, enabled "Identity-based access for file shares", added synced users via Azure AD connect to Storage File Data SMB Share Contributor role. All security groups from local AD that are responsible for access to specific directories are also synced. Mapping is working with ACLs enforcement on computer added to ADDS but not working for a computer added to local AD. I suspect that this computer need to have access to ADDS subnet to utilise Kerberos and LDAP so I'm considering VPN to Azure. I guessing that subnet and vnet that computer will have allocated will also need to have route to ADDS subnet. Do I missing something ? If that will be enough ? I want to avoid rejoining computer from local on prem Active Directory to AADDS and I understand that I don't need to add Azure Storage account to on-prem because in this situation authentication will be done by local AD and in situation when it will be not available ACL enforcement will not work so we don't want this step in the process right ?
Amazing Stuff.As an alternative,cant we use SharePoint Online. SharePoint will take care of the required permissions and also provide ways to map your drive with document library(I believe it uses "web dav" for that).
Hi John, Many companies are using Sharepoint online to store documents. I would like to know what is the difference between storing files in Sharepoint online vs Azure files & the pros & cons of each. I'm battling to find anything online that explains this well.
Azure files is just an smb share ultimately where as share point is a complete collaboration platform with rights management, co authoring and much more.
This is great for remote workers on their domain joined machines so they don't have to VPN in to get access to a file server. But for on-prem users, isn't using Azure File Sync (with recent data cached locally) still a more efficient method? Otherwise, all on-prem users have to traverse the WAN to Azure to access the files.
I believe that they do still have to VPN into the on-prem AD for authentication. So for me, it's not quite the game-changer we're looking for. Don't get me wrong, turning file servers off is a big step forward, but what we really need is for this to work without a VPN. That would be the game-changer for me. What do you think John?
do you know if there is any chance to allow Azure AD Joined devices to authenticate to Azure Files...? That would be perfect server-less option, fully in the cloud ;)
In relation to roles in IAM I understand that you need for example "Storage File Data SMB Share Contributor " to manage NTFS permission but for normal user access that just read is normal "Contributor" is enough if he will not be editing permissions but creating new folders etc?
@@NTFAQGuy I understand but if the users don't need to right click on files and edit permission but just access then from what I understand they don't need to use this "Storage File Data SMB Share Contributor". This group is only required for admin and managers that do operation on file ? or actually they need to be in this group to be able to create and delete folders and file because in the end those are SMB operations ?
I want to unjoin a Storage Account I joined to my local active directory. Whenever I attempt to it, I receive the following message: “An operation is currently performing on this storage account that requires exclusive access.”. What shoud I do???
Hi John, I have a customer with 600 Windows 10 laptops. All users login to the Windows 10 machine using the Azure AD (M365) login. All devices are also managed by Intune and Azure AD joined. They have never had onsite AD, everything is serverless. We spun up AzureFiles but can't get Azure AD DS to authenticate. All Microsoft documentation keeps talking about computers need to be domain joined. Am I doing something wrong here, and if we take a step back, how do I use AzureFiles with 600 Windows 10 devices that are Azure AD domain joined and managed by Intune?
this is for AD domain joined which you are not so this won't work. Azure AD is not the same as AD. There is an Azure AD joined alternative which may work or if you are all modern something like onedrive and sharepoint may be better fit.
@@NTFAQGuy Thank you John, we are currently on OneDrive/Sharepoint but this is a large non tech savvy workforce and OneDrive is not an option. So many issues between files not syncing, file upload fails, having to reset OneDrive, they forget to check that OneDrive is actually syncing etc.
@@BusinessITSolutions Hmmm, well there is an Azure AD Azure Files integration but its not as friendly as the AD integration but may be your only choice.
@@cpgixxer If you want my script its on my repo at github.com/johnthebrit/RandomStuff/tree/master/AzureFilesADIntegration but that MS docs is the full command set and what I used to create my mini version.
Nice video...question though. I set this up in a lab and despite all my efforts am getting an error "The password is invalid for \\file.core.windows.net\. I have triple checked settings, verified accounts have synced, run the diags, and all looks ok. But logging in to an AD computer with a user with RBAC roles and NTFS permissions set and trying to mount a drive to the share, I get this error. Any pointers?
John Savill I think RBAC changes take a while - after about an hour this magically started to work. The only thing I can attribute it to is something on the Azure backplane settling.
