map a windows drive to azure files using Entra

Rick J. Doll 0

We have set up a storage account.

We can map a drive to the storage account from windows using the storage account name and access key.

We have Microsoft Entra enabled in the identity based access.

Anytime that we try and map a drive to azure files on windows using our Entra credentials, we get a password error and it doesn't map. Again, it maps fine with storage name and key.

Hopefully I am missing an easy step?

Keshavulu Dasari 1,830 Reputation points Microsoft Vendor

2024-11-15T23:53:35.31+00:00
Hi Rick J. Doll ,
Welcome to Microsoft Q&A Forum. Thanks for posting you query here!
The issue with mapping Azure Files using Microsoft Entra credentials Verify that your storage account is configured to use Microsoft Entra Domain Services for authentication. This setup is necessary for identity-based access,
Ensure that the password for the AD identity representing the storage account matches the storage account's Kerberos key. If there's a mismatch, you can reset the password using the Update-AzStorageAccountADObjectPassword command,Make sure that the share-level permissions are correctly assigned. Incorrect permissions can lead to access being denied,
Sometimes, Multi-Factor Authentication (MFA) can interfere with the mapping process. Try disabling MFA temporarily to see if it resolves the issue,
When mapping the drive, ensure you are using the correct syntax in the command. For example:

net use Z: \\<storage-account-name>.file.core.windows.net\<file-share-name> /u:<domain>\<username> <password>

Ensure there are no policy restrictions such as blank passwords or limited sign-in times that might be preventing the mapping

If you have any other questions or are still running into more issues, let me know in the "comments" and I would be happy to help you
Rick J. Doll 0 Reputation points

2024-11-16T14:26:02.5633333+00:00

I will have to review Kerberos.

We do have entra domain service4s running, the password is different, using this kerberos, than users entra account passwords?
Keshavulu Dasari 1,830 Reputation points Microsoft Vendor

2024-11-18T17:40:24.2833333+00:00

Hi Rick J. Doll
Yes, that's correct. The Kerberos password used for the storage account can be different from the users' Microsoft Entra account passwords. This is because the Kerberos password is specifically set for the storage account to enable secure access.
To consider:
Kerberos Password:
This password is set when you configure the storage account for identity-based access using Microsoft Entra Domain Services. It is separate from the users' regular Entra account passwords.

Password Synchronization:
Ensure that the Kerberos password is correctly synchronized and updated. You can use the Update-AzStorageAccountADObjectPassword command to reset or update this password if needed.

User Credentials:
When mapping the drive, users will need to use their Entra credentials (username and password) that are synchronized with the domain services.

Configuration Verification:
Double-check that the storage account is properly configured to use Microsoft Entra Domain Services and that the necessary permissions are set up correctly.

Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members. If you have any other questions or are still running into more issues, let me know in the "comments" and I would be happy to help you
Keshavulu Dasari 1,830 Reputation points Microsoft Vendor

2024-11-19T19:35:16.4633333+00:00

Hi Rick J. Doll,
Checking in to see if the response helped. If you have any questions, let me know in the "comments" and I would be happy to help you.
Keshavulu Dasari 1,830 Reputation points Microsoft Vendor

2024-11-21T16:36:48.78+00:00

Hi Rick J. Doll,
Checking in to see if the response helped. If you have any questions, let me know in the "comments" and I would be happy to help you.

1 answer

Marcin Policht 26,465 Reputation points MVP

2024-11-15T23:17:25.69+00:00
This is not supported unless your Entra tenant is integrated with either Active Directory (via Connect/Cloud sync) or with Entra Domain Services

Details at https://learn.microsoft.com/en-us/azure/storage/files/storage-files-active-directory-overview

Supported scenarios

On-premises AD DS authentication: On-premises AD DS-joined or Microsoft Entra Domain Services-joined Windows machines can access Azure file shares with on-premises Active Directory credentials that are synched to Microsoft Entra ID over SMB. Your client must have unimpeded network connectivity to your AD DS. If you already have AD DS set up on-premises or on a VM in Azure where your devices are domain-joined to your AD, you should use AD DS for Azure file shares authentication.

Microsoft Entra Domain Services authentication: Cloud-based, Microsoft Entra Domain Services-joined Windows VMs can access Azure file shares with Microsoft Entra credentials. In this solution, Microsoft Entra ID runs a traditional Windows Server AD domain on behalf of the customer, which is a child of the customer’s Microsoft Entra tenant.

Microsoft Entra Kerberos for hybrid identities: Using Microsoft Entra ID for authenticating hybrid user identities allows Microsoft Entra users to access Azure file shares using Kerberos authentication. This means your end users can access Azure file shares over the internet without requiring network connectivity to domain controllers from Microsoft Entra hybrid joined and Microsoft Entra joined VMs. Cloud-only identities aren't currently supported.

AD Kerberos authentication for Linux clients: Linux clients can use Kerberos authentication over SMB for Azure Files using on-premises AD DS or Microsoft Entra Domain Services.

If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

hth

Marcin
Please sign in to rate this answer.
Rick J. Doll 0 Reputation points

2024-11-16T14:24:32.01+00:00

We do have hybrid accounts.

Marcin Policht 26,465 Reputation points MVP

2024-11-16T16:42:52.95+00:00

Then follow https://learn.microsoft.com/en-us/azure/storage/files/storage-files-identity-auth-hybrid-identities-enable?tabs=azure-portal%2Cintune to configure it properly

If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

hth

Marcin
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

map a windows drive to azure files using Entra

1 answer

Your answer