Unable to Map Azure File Shares from Intune-joined endpoint

cgar 0 Reputation points
2024-12-16T20:00:06.0266667+00:00

Following the guide posted here: I enabled the Storage Account and linked SPN.

https://learn.microsoft.com/en-us/azure/storage/files/storage-files-identity-ad-ds-enable

I am able to map shares on servers in the same subnet, that are domain joined, but I am unable to map this share to endpoints that are Intune-Joined. I receive "Incorrect Password" prompts.

When I review Entra logons, I see the following: Sign-in error code

700016

Failure reason

Application with identifier '{appIdentifier}' was not found in the directory '{tenantName}'. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You may have sent your authentication request to the wrong tenant.

Additional Details

The application named X was not found in the tenant named Y. This can happen if the application with identifier X has not been installed by the administrator of the tenant or consented to by any user in the tenant. You might have misconfigured the Identifier value for the application or sent your authentication request to the wrong tenant.

Azure Files
Azure Files
An Azure service that offers file shares in the cloud.
1,329 questions
{count} votes

3 answers

Sort by: Most helpful
  1. hossein jalilian 9,310 Reputation points
    2024-12-16T21:32:34.7533333+00:00

    Thanks for posting your question in the Microsoft Q&A forum.

    To resolve this issue, consider the following options:

    • Enable Azure AD Kerberos for your storage account. This allows Intune-joined devices to authenticate using their Azure AD credentials.
    • Instead of using AD DS authentication, configure your storage account to use Azure AD authentication. This is more suitable for Intune-joined devices
    • Implement Azure File Sync to create a hybrid solution that works for both domain-joined and Intune-joined devices
    • Ensure that the Intune-joined devices have proper network connectivity to the Azure File Share and can resolve the storage account's DNS name
    • The error message suggests an issue with application registration in Azure AD. Verify that the storage account is properly registered as an application in your Azure AD tenant

    Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful

    0 comments No comments

  2. Vinod Kumar Reddy Chilupuri 1,915 Reputation points Microsoft Vendor
    2024-12-16T21:59:09.7033333+00:00

    Hi @cgar

    Welcome to Microsoft Q&A, thanks for posting your query.

    The issue you're experiencing with mapping Azure File Shares from Intune-joined endpoints, where you receive "Incorrect Password" prompts, may be related to the application not being found in the directory. The error code 700016 indicates that the application you are trying to use for authentication is not found in the specified Azure AD tenant. This can happen for several reasons:

    • The application has not been registered in Azure AD.
    • The application has not been consented to by an administrator or any user in the tenant.
    • The authentication request is being sent to the wrong tenant.

    To resolve this, verify that the application is properly registered in Microsoft Entra and that the necessary permissions have been granted. Please check the following steps that solves your issue.

    1. Confirm that the application identifier is correctly configured and matches what you expect.
    2. Verify that the application has been installed by an administrator or that consent has been granted for users in the tenant.
    3. Ensure that your authentication request is being sent to the correct tenant. https://learn.microsoft.com/en-us/azure/storage/files/storage-files-identity-ad-ds-enable

    https://learn.microsoft.com/en-us/troubleshoot/azure/azure-storage/files/security/files-troubleshoot-smb-authentication#potential-errors-when-enabling-microsoft-entra-kerberos-authentication-for-hybrid-users

     

    Additional steps:

    • Testing with Different Accounts: Try mapping the share using different user accounts to see if the issue is account specific.
    • Review Azure AD Logs: Check the Azure AD sign-in logs for more details about the failed sign-in attempts, which can provide additional context about what might be issue.
    • Intune Configuration: Check that the Intune-joined devices are configured correctly to access Azure File Shares and that there are no policies blocking access.

    Please let us know if you have any further queries. I’m happy to assist you further. 


    Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.


  3. cgar 0 Reputation points
    2024-12-17T01:29:40.22+00:00

    This link is not functional. https://learn.microsoft.com/en-us/azure/storage/files/storage-files-identity-ad-ds-enable

    I don't have an option to register the application, before the application was registered. If you have a guide for me to try to register this, it would be ideal, so I can also explicitly bypass MFA.

    strange that it works from some servers but not azure devices. I followed the KB with the idea that ADDS was the ideal method.

    trying Kerberos alone and mapping the domain GUID alone doesn't work.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.