Microsoft Identity Manager
A family of Microsoft products that manage a user's digital identity using identity synchronization, certificate management, and user provisioning.
707 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(150.4, 64%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ENR%3C/text%3E%3C/svg%3E)
Hello Leslie Chan,
Greetings! Welcome to Microsoft Q&A Platform.
To access Azure Files, you can use Azure AD credentials to authenticate and authorize access to the file share. You can assign Azure built-in roles like Storage File Data SMB Share Reader to users or groups in Azure AD to grant access to an Azure file share. At the directory/file level, Azure Files supports preserving, inheriting, and enforcing Windows ACLs just like any Windows file server. You can choose to keep Windows ACLs when copying data over SMB between your existing file share and your Azure file shares. Whether you plan to enforce authorization or not, you can use Azure file shares to back up ACLs along with your data. So, you can use Microsoft 365 security groups to assign access permissions to each share folder via Azure AD.
Microsoft Entra Domain Services
For Microsoft Entra Domain Services authentication, you should enable Microsoft Entra Domain Services and domain-join the VMs you plan to access file data from. Your domain-joined VM must reside in the same virtual network (VNET) as your Microsoft Entra Domain Services.
All users that exist in Microsoft Entra ID can be authenticated and authorized. The user can be cloud-only or hybrid. The sync from Microsoft Entra ID to Microsoft Entra Domain Services is managed by the platform without requiring any user configuration. However, the client must be joined to the Microsoft Entra Domain Services hosted domain. It can't be Microsoft Entra joined or registered. Microsoft Entra Domain Services doesn't support non-Azure clients (i.e. user laptops, workstations, VMs in other clouds, etc.) being domain-joined to the Microsoft Entra Domain Services hosted domain. However, it's possible to mount a file share from a non-domain-joined client by providing explicit credentials such as DOMAINNAME\username or using the fully qualified domain name (username@FQDN).
This article explains how Azure file shares can use domain services, either on-premises or in Azure, to support identity-based access to Azure file shares over SMB. Enabling identity-based access for your Azure file shares allows you to replace existing file servers with Azure file shares without replacing your existing directory service, maintaining seamless user access to shares. Overview of Azure Files identity-based authentication options for SMB access
- On-premises Active Directory Domain Services (AD DS)
- Microsoft Entra Domain Services
- Microsoft Entra Kerberos for hybrid user identities
The Azure AD Kerberos functionality for hybrid identities is only available on the following operating systems:
- Windows 11 Enterprise/Pro single or multi-session.
- Just for cross-verifying: Before you enable Azure AD Kerberos authentication over SMB for Azure file shares, make sure you've completed the following prerequisites.
This article lists common problems that are related to Microsoft Azure Files when you connect from Windows clients.
Second, try mounting Azure file share with storage account key. If the share fails to mount, download AzFileDiagnostics to help you validate the client running environment, detect the incompatible client configuration which would cause access failure for Azure Files, give prescriptive guidance on self-fix, and collect the diagnostics traces.
Third, you can run the Debug-AzStorageAccountAuth cmdlet to conduct a set of basic checks on your AD configuration with the logged on AD user. This cmdlet is supported on AzFilesHybrid v0.1.2+ version. You need to run this cmdlet with an AD user that has owner permission on the target storage account.
Reference doc's: https://learn.microsoft.com/en-us/windows-server/security/kerberos/ntlm-overview.
Please consider checking below following steps to resolve the issue,
- Ensure that the Windows 11 Enterprise machine is correctly joined to the Microsoft Entra domain. You can check this by going to Settings > Accounts > Access work or school and verifying the domain join status.
- For hybrid identities, you might need to enable Microsoft Entra Kerberos authentication for Azure file shares. This allows users to access Azure file shares using Kerberos tickets issued by Microsoft Entra ID. Ensure that your storage account is configured to use Microsoft Entra Kerberos authentication.
Make sure that you have assigned the correct Azure Role-Based Access Control (RBAC) permissions to the user groups. The groups should be created in Active Directory and synced to Microsoft Entra ID.
NTLM authentication might require specific configurations. Ensure that NTLM settings are correctly configured in your environment. You can check this in Local Security Policy > Security Settings > Local Policies > Security Options.
- Verify that the computer name is correctly registered in the domain and that DNS settings are properly configured. If these steps don’t resolve the issue, you might want to consult the detailed documentation on Azure Files identity-based authentication for more specific guidance below,
https://learn.microsoft.com/en-us/windows-server/security/kerberos/ntlm-overview
https://learn.microsoft.com/en-us/azure/storage/files/storage-files-active-directory-overview
Hope this answer helps! Please let us know if you have any further queries. I’m happy to assist you further.
Please "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.