Share via

How to secure accessing windows domain joined Azure File share over public endpoint

Thirutham Ram 0 Reputation points
2025-02-13T12:18:37.1+00:00

How to secure accessing windows domain joined Azure File share over public endpoint

Azure Files
Azure Files
An Azure service that offers file shares in the cloud.
1,370 questions

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Marcin Policht 37,045 Reputation points MVP
    2025-02-13T12:55:57.87+00:00

    Consider the following:

    1. Ensure SMB over TLS by verifying that clients connecting to the file share support use SMB 3.x.
    2. Restrict access by using firewall rules to allow access only from trusted IPs.
    3. Enable Azure Defender for Storage. This helps monitoring and detecting threats like unusual access patterns and potential ransomware attacks.

    If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

    hth

    Marcin

    0 comments
  2. Firat Kutay 0 Reputation points
    2025-02-13T14:16:36.7566667+00:00

    Hi Thirutham,

    To secure a Windows domain-joined Azure File share accessed over a public endpoint (though Private Endpoint is strongly preferred):

    File Share: Use Storage Account Firewall to restrict access by IP or VNet. Never expose storage keys directly. Private Endpoint is the most secure option.

    Authentication: Use Active Directory authentication (essential) and NTFS permissions for granular control. For hybrid, configure Azure AD Kerberos.

    Network: Use NSGs to limit traffic (port 445 for SMB). For on-premises, use VPN/ExpressRoute (ideally with Private Endpoint).

    Monitoring: Use Azure Monitor and Storage Analytics. Integrate with Security Center.

    Best Practices: Least privilege, regular reviews, strong passwords, updates.

    In short: Favor Private Endpoint. If you must use public access, lock down the firewall, use AD auth and NTFS permissions, secure the network path, monitor activity, and follow security best practices.

    0 comments
  3. Hari Babu Vattepally 1,725 Reputation points Microsoft Vendor
    2025-02-13T14:43:50.7366667+00:00

    Hi @Thirutham Ram ,

    To have a secure accessing windows domain joined Azure files share over public endpoint. We would recommend you follow the below:

    • Make sure to use secure transfer options like HTTPS when accessing the Azure File share over the public endpoint. By using this your data stays safe while being transmitted over the network.
    • Please make sure to Azure Private Endpoints in place of using public endpoint. This enables access to your Azure file shares from your on-premises network without public internet exposure.
    • You can also use Azure Active Directory (Azure AD) authentication to control access to the Azure File share. You can assign Azure AD users and groups permissions to access the file share, ensuring that only authorized users can access the data.
    • If you're using SMB 2.1 or SMB 3.x without encryption, make sure the storage account's secure transfer setting is disabled. Just keep in mind that encrypted SMB requests can come from anywhere.
    • Also, enable logging and monitoring to keep track of access to your Azure file share. However, utilize Azure Monitor and Azure Security Center to identify and address any suspicious activities.

    For more additional information, please refer the below documents:

    I hope following the above, you can secure accessing the data from the unauthorized access and potential security threats. Let us know if you have any further questions. We will be glad to assist you further.

    Please do consider to “up-vote” wherever the information provided helps you, this can be beneficial to other community members. 

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.