Azure Files SMB Access with Windows AD 

Great video Travis, very well done video. Your cadence and thoughtful presentations make configuring these services a snap.

man, I am starting my journey in IT and I just started on july this year with Azure, so I have a lot to learn, I want to thank you and encourage to keep up this awesome job because it's very valuable to some of us

My Company has just started using Azure and I have gone through some of your videos. I can`t thank you enough for making these videos. they are the best, very helpful and very educational

Travis, you are a legend. Cant be explained in any better way.

ohh MY Thanks... been looking on microsoft articles for a looong time but this made great sense and worked like a charm .. thanks.

This is an excellent walk thru to get Azure Storage Account join to Domain and use it as SMB file share. Thank you very much.

Awesome video Travis! This was super clear and straightforward and worked. This is helping me build out my test environment before I go live later this year! A++++

Thank You.. Your Videos are great.. i have been looking for this.. Your video explains it very clearly.

Espectacular video, muchas gracias Travis nuevamente.

Amazing video, many thanks for your share !

Thank you so much!!! That video helped a lot =)

Thank you very much. You saved me. Good job!!

Thx, great video!

This is awesome Travis thank you so much. Just a quick one can we have DFS management pointing to the storage location directly . Or to use DFS we will need to use File Server Sync

Hello Travis, Thank you for the very good video! Should the serviceLogonAccount 'cirfiletest01' be synchronized with Azure AD? In short, does service account hybrid identity or Windows AD only ? Thank you

Would you recommend using a File Share over an attached VHD? Price is no object. Speed is. So, I guess, which is fastest? - just to delve a tad deeper, would either be good enough for housing a database file that is constantly in use such as QuickBooks. Or would that type of DB file be better being on the same VHD as the OS on the VM? Great Videos by the way! Mostly interested in Azure.

Great Video!

Have always loved your videos my man. First time posting a question here. What is a solution in Azure or Windows to auto-deploy and Azure File Share to Windows VMs as a drive letter? I have tried using the PowerShell connect script to run on startup via GPO but have been unsuccessful. Thanks!

Travis that was awesome and how can we map the File Share on the client's workstations via the group policy?

Thanks Travis. Does this setup work as well for azure AD connected users who aren't sitting in the vnet?

If you have a hybrid setup, can you set up AADDS for a specific domain and use the SMB file share the way you would with "cloud only" setup and sort of ignore the fact that you have a hybrid setup? I ask because the users accessing wvd would be AAD created users, not synced from AD connect.... thanks in advance

Hi, thanks for the video. I'm currently trying to implement Azure File Share as file server within our on prem AD. I can successfully mount the share as a network drive like what you did in this video, but what we are trying to do is to map different folders from the file share as mapped drives automatically through Group Policy Objects. So different departments will see their own 'work drives' mounted on their laptop/workstation automatically. Can you advise what's the proper way to do so? Thanks.

Thanks. Do you have a video to what would be the best way to setup a fileserver on azure for sensitive information like a lawyer office or broker

Hi Travis! I just followed your instructions. One thing I noticed is that the administrator can’t set/edit permissions past 2nd level of folders. any thoughts on how to fix this?

My scenario was a bit different to this one - we already have AD DS setup on VMs in Azure, so can't have hybrid accounts (neither would we want to because it would clutter our Azure users up with AD users). The alternate method was to apply share level access for everyone, which is again done with yet more Powershell script.

Hey Travis. How does this work with mounting via P2S VPN?

How Can I use the old folder level securities from on-premises AD to new Azure file share folders?

Can you mount file share to a non-domain computer using active directory(Not using Acces Key)? or at least by entering the file share UNC on the non-domain computer, and supply a username and password?

amazing

Thank you for the great video but I am facing an issue with Join domain command, after I run it, I receive following error: ensure-kerb key exists : caught exception: an operation is currently performing on this storage account that requires exclusive access. Can you help?

This was very helpful, but some things I found making this work after 20 hours: 1) you have to disable Azure AD DS, which means your on-prem users can access the data but your cloud users can't. 2) I had to do this on an on-prem server, not a cloud server 3) I had to make the user account performing operation an owner of the entire cloud subscription 4) I had to use ServiceLogonAccount and not ComputerAccount 5) I had to use the full distinguished OU name 6) there is a 15 character limit on the name of your Storage Account Bottom line, if you want both on-prem and Azure cloud users to have access to your Storage Account data, this is not the way to do it. I'm told I have to make an Azure File Sync server. So, maybe that will work for you.

Great video, i have a question for you. Can a synchronized user on an azure ad joinded device access Azure File share ?

Great video and thanks for sharing but one thing that I feel a lot of videos if not, all videos overlook is mounting this for any user that connects to the VM. How can I have it so the drive is mapped for all users? I don’t want to manually mount the drive per user.

Does it work over AT&T UVerse?

Well can you use Group Policy to Map for users instead of NET USE? Can you not add a drive letter and assign the path similar to how we do regular files share?

Hello Travis, I am a Beginner in azure, and I have a big question, I need to enable Azure flies or Storage Sync with AD authentication (on primises), but I need to limit access to the administrators of my domain in on primeses, is it possible to do that?

What would happen if I need a service account connect to that Azure File?

I'm trying to figure out how to implement this for a client that wants to completely do away with their on-premises AD domain. Absolutely nothing in it is of use anymore except the data. They do not currently use Azure AD DS, just Azure AD (Office 365). ALL laptops are Azure AD domain joined (when they login to the PC, they use their full email address). My goal is to move their files from their server into an Azure File Share and have them map a drive to this File Share using what they currently have in place, a laptop that is Azure AD joined and logging in with their Azure AD account (their email address). Do we have to leave their on-premises AD domain in place? Do I have to implement Azure AD DS too? Again, they have local AD domain, which we just want to throw in the trash. They have Azure AD (Office 365) in place for several years now. They do not have Azure AD DS. Creating the File Share and mapping it as the Super User is really easy. Assigning the proper account that can modify the permissions to that folder, not so much. And to add the ability for a normal user to open any files/add any files in it, even harder.

Did you have a procedure for configuring a MFP device to Scan to SMB on a Azure Share Folder?

Hi Travis, great video. I just have a question. The part where you run the command: $StorageAccount.AzureFilesIdentityBasedAuth.DirectoryServiceOption. The result you get is "AD". When I run it I don't get AD, just empty. I am pretty sure I did everything by the book. Where do I have to look at? Best regards, Ron

Can we sync between windows server wrokgroup with azure? thx

Travis, one thing I don't quite get: Consider my on-prem file server, I have a structure of folders which I granted permissions to many users and groups, inside one of those folders I create a new folder called "Private" which I block inheritance and only grant permissions to 3 x managers users (for example). How would this work in Azure files since the permissions are set on the Share in Azure RBAC? hope this makes sense... :/

Great Video! Thank a lot Travis. However, I have follow your steps but finally struck at when login with an AD users and try to mounting storage map drive letter. I got the NET USE command always prompt require the username and password? But in your video I don't see you have enter any credentail ( minute 22:46). Can you advise on this?

i'm trying to configure the File share from the scratch. we don't have any on premises AD . We installed only ADDS in Azure. Travis can you help me out in this. pls Send me the Step by step guide or video that help me. it will be a very grateful help. As i'm new to azure.

Thanks Travis, Does the DC need to be on the same Azure VNet or will it work if left on Premise?

About 17:09 - Configure NTFS access What is the purpose of adding role assignments through Access Control (IAM) if you can apply NTFS permissions from a Windows computer?

Hey, when i do this, i get Assert-IsNativeAD : The cmdlet is stopped due to the storage account '' having the DirectoryServiceOptions value: 'None'. The DirectoryServiceOptions for the account needs to be 'AD' in order to run the cmdlet. what could be going wrong here?

Can you do this if your device is Ad Registered and not hybrid/ad join?

Great video -- a question about SMB Perms , can i assign perms to Azure AD user (not synced from on-Prem AD DS) ?

does the machine have to be joined to a domain? or can we simply have line-of-site to a domain controller? or neither? We have a mix of azure ad only and hybrid azure ad machines...

cool stuff, but does ntfs permissions style require an on-premises Windows DC in Azure?

So the only account that requires AD Synch is the service account for the replication? Do the end users all have to be AD Synch'd from AD DS to Azure AD?

can this be achieved without Azure AD DS?

Great video. Has anyone experienced issues with NTFS permissions. When I set Owner permissions at the top level and enable inheritance. The ownerr permissions get overwrtitten each time a user creates a file or folder.

How connect with phisical devices out of domain? when i try this i get error 86 network password, can you help me? greetings from mexico

Hi, Thank you for this amazing video! And what if i want to decomission my file server after doing these steps? is it possible?? The users that they access to the file server on premise will still able to access to azure file Share?

Hi Travis, I am getting this error! Please need some help to figure it out. System error 5 has occurred. Access is denied.

Travis, Is it possible to enable File Locks? The behavior I'm seeing is: Test User 1 with Contributor: Opens file, makes edits Test User 2 with Contributor: Opens file right after Test User 1, also makes edits Test User 1: Finishes edits, saves file. Test User 2: Finishes editing after Test User 1, saves file. The modifications from Test User 2 now overwrite any changes Test User 1 made. Is this behavior expected or do I have a configuration issue?

The net use command at the end fails. It would also help people to know they need to update powershell and have dotnet4.7.2 or newer as prereqs.

Can you do a 2023 version of this video???

Can we use this feature for non federated domains?

So, does this actually require your AD account be sync'd to AAD? Suppose I have two AD domains, no trust relationship between them. Domain A is replicated to AAD, and is the AAD I use to log into the Azure portal. Domain B is running solely on VMs inside the Azure environment. Could I run this command on a VM on Domain B logged into that VM as a domain admin on Domain B, but when I run Connect-AzAccount, I log in with my global administrator for Domain A in AAD? Would that get everything connected appropriately? And second question, how does the storage account talk to the domain controllers? You don't set a Vnet for a storage account, is there some proxying going on via the machine you ran this command on?

Great stuff… would be great if you did a video on setting up Azure for collaboration with anything on-premises. I am currently trying to set up a VPN with AAD, Kerberos and a file share. Despite this being described in the documentation in a step by step guide, as entirely possible. I.e. there is nothing in the prerequisites mention a VM or an on-site AD server etc. Microsoft have been unable to deliver. So far I’ve been told it’s possible, not possible, only possible if I use AADDS, that didn’t work… one “lead tech” told me the solution was to get all users connected with the admin connection. Not recommended by Microsoft, another told me I had to set up onsite AD, another that we’d all need virtual machines (again no mention of VMs in the prerequisites)… it’s a nightmare lol the story changes every day. A well produced independent video on setting up azure for collaboration between associates, nothing on premises, simple vpn, no public access, vms etc. and a properly manageable file share (I.e full permissions functionality)… would be brilliant.

Great Video Travis. Thank you!!!!!!!! Maybe you or someone else can advise me on an error I get when I try to join one of my storages to AD DS. The objective is to have storage accounts on a WVD environment that I am creating and be able to apply Group Policies to those users from my DC. - My environment is in Azure. - I have a VM and is my DC as well. - I run the AD Connect on that VM and all the users are synced with my Azure Active Directory except the build in user which is an admin and is the same user (Administrator) that I had to create when I created that VM. So what I did I created that user on my Azure AD manually, BUT is not synced. So, when I ran the script to join the storage account to the AD DS everything went fine with only one failed. Here is what I get: 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 Name Result ---- ------ CheckADObjectPasswordIsCorrect Passed CheckADObject Passed CheckDomainJoined Passed CheckPort445Connectivity Passed CheckSidHasAadUser Failed CheckGetKerberosTicket Passed CheckStorageAccountDomainJoined Passed Skipped Issues found: ---- CheckSidHasAadUser ---- No Azure Active Directory user exists with OnPremisesSecurityIdentifier of the currently logged on user's SID (xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx). This means that the AD user object has not synced to the AAD corresponding to the storage account. Mounting to Azure Files using Active Directory authentication is not supported for AD users who have not been synced to AAD. 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 However, the storage account got connected to my VM Domain Controller and I see the storage account name as a computer under the OU but I know that there is an issue. I also understand that the user that ran the script must be full in sync with the DC. So, I created another user on my VM and I gave him admin rights and that user was synced with my Azure AD. I went ahead and ran the same script again under that new Admin user account and I got this error now. Worst than before. Here it is: 000000000000000000000000000000000000000000000000000000000000000000000000000 Account SubscriptionName TenantId Environment ------- ---------------- -------- ----------- xxxxxx@yyyyyyyy.com Microsoft Azure xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx AzureCloud Name : Microsoft Partner Network (xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx) - xxxxxxxxxxxxxxxxxxxxxxxxxxxx - xxxxxx@yyyyyyyy.com Account : xxxxxx@yyyyyyyy.com Environment : AzureCloud Subscription : xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Tenant : xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx TokenCache : Microsoft.Azure.Commands.Common.Authentication.Core.ProtectedFileTokenCache VersionProfile : ExtendedProperties : {} New-ADAccountForStorageAccount : Unable to create AD object. Please check that you have permission to create an identity of type ComputerAccount in Active Directory location path 'OU=VASILIOSB,OU=CLIENTS,DC=AZUREWVD,DC=LOCAL' for the storage account 'vasiliossa' At C:\Users\portaladmin\Documents\WindowsPowerShell\Modules\AzFilesHybrid\0.2.2.0\AzFilesHybrid.psm1:4266 char:37 + ... eOverride = New-ADAccountForStorageAccount @newParams -ErrorAction St ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,New-ADAccountForStorageAccount PS C:\Users\portaladmin\Desktop> 000000000000000000000000000000000000000000000000000000000000000000000000000000 I will appreciate any help. Thank you, Ioannis

Hello, Thanks for this video, I want to connect SMB file share with access key using API is that possible? I have user docs.microsoft.com/en-us/rest/api/storageservices/get-file this API for getting file and folder on my SMB file share. I have done this using a shared access signature. but I want to do this using the access key. How I can call the API using the access key

Thanks Travis. Your t shirt is far too big for you mate.

Hi I get the following at Join-AzStorage ...Note I am using an on prem dc linked to azure via a S2S. No DC in the cloud yet. PS C:\temp\AzFilesHybrid> Join-AzStorageAccountForAuth ` -ResourceGroupName $ResourceGroupName ` -Name $StorageAccountName ` -DomainAccountType "ServiceLogonAccount" ` -OrganizationalUnitDistinguishedName "OU=AzureFileShare,DC=****,DC=local" WARNING: Parameter -DomainAccountType is 'ServiceLogonAccount', which will not be supported AES256 encryption for Kerberos ti ckets. Get-AzResourceGroup : 17:08:27 - Provided resource group does not exist. At C:\Users\administrator.****\Documents\WindowsPowerShell\Modules\AzFilesHybrid\0.2.3.0\AzFilesHybrid.psm1:2060 char:32 + ... $resourceGroupObject = Get-AzResourceGroup -Name $ResourceGroupName

Hi, can you tell me. At server files/data are kept encrypted at rest.