We have configured an Azure File Share which is synchronised with our onprem file server (ADDS) and integrated with our private dns. My question is now AD integration is in place and NTFS/Share permissions are there, are we able to remove the onprem AD storage account object synchronising to our Entra tenant as part of our cyber best practice?

Hello Ben, Welcome to MS Q&A Yes, after the Active Directory (AD) integration and once the NTFS/Share permissions are properly configured, you can remove the on-premises AD storage account object that is synchronizing to the Microsoft Entra tenant. However, ensure that all necessary permissions and access configurations are in place before doing so to avoid any disruption in access. References: Configure a cloud trust between on premises AD DS and Microsoft Entra ID for accessing Azure Files Preparing users and groups for Azure Information Protection Please let us know if any questions Kindly accept answer if it helps Thanks, Deepanshu

Can I remove AD azure file storage system account syncronising to Entra

Accepted answer

Deepanshu katara 12,635 Reputation points

2024-12-19T13:03:57.18+00:00
Hello Ben, Welcome to MS Q&A

Yes, after the Active Directory (AD) integration and once the NTFS/Share permissions are properly configured, you can remove the on-premises AD storage account object that is synchronizing to the Microsoft Entra tenant. However, ensure that all necessary permissions and access configurations are in place before doing so to avoid any disruption in access.

References:

Configure a cloud trust between on premises AD DS and Microsoft Entra ID for accessing Azure Files

Preparing users and groups for Azure Information Protection

Please let us know if any questions

Kindly accept answer if it helps

Thanks,

Deepanshu
Please sign in to rate this answer.

1 person found this answer helpful.
Ben Slade 20 Reputation points

2024-12-19T14:37:08.27+00:00

Thankyou for clarifying Deepanshu, I understand that this would need to be done after all permissions have been finalised.

Once more question I have is when we come to map all users to a new Azure File share (over a weekend) we would;

remove user access to the onprem file server

then do a final sync

Allow users access to the new AFS

At stage 1, I was planning on removing authenticated users access to the share but am unsure if this would break the Az file sync group, would it just be a matter of adding the onprem AD storage account read access to the share to allow the final sync?

Thanks

Deepanshu katara 12,635 Reputation points

2024-12-19T15:11:54.74+00:00

I think Removing authenticated users' access to the on-prem file server will not break the Azure File Sync group during the final sync. However, to ensure the final sync is successful, you should:

Remove User Access: Remove authenticated users' access to the on-prem file server to prevent any changes during the final sync.

Add Read Access: Ensure that the on-prem AD storage account has read access to the share to allow the final sync to complete successfully.

By following these steps, you can perform the final sync without breaking the Azure File Sync group.

References:

Migrate from Network Attached Storage (NAS) to a hybrid cloud deployment with Azure File Sync

Migrate from Linux to a hybrid cloud deployment with Azure File Sync

Migrate files from one Azure file share to another when using Azure File Sync
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

Can I remove AD azure file storage system account syncronising to Entra

0 additional answers

Your answer