Share via

Azure Files identity configuration with entra domain services issue

YMCA2838382 0 Reputation points
2025-10-29T11:53:25.6733333+00:00

I will configure it (both through powershell and through azure GUI) and it will either have strange issues where it won't map on a joined vm (or I can't change permissions)... or it will let me do those things (sometimes) but then 20 minutes later it will revert back to 'not configured'. this is apart of a migration and is critical - i have 2 days to complete it and this is one of the last items. Please let me know what I can do to resolve this. I've found this in other threads and a 'bug' was mentioned...

Azure Files
Azure Files
An Azure service that offers file shares in the cloud.

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Priya ranjan Jena 2,295 Reputation points Microsoft External Staff Moderator
    2025-10-30T11:23:16.1333333+00:00

    Hi YMCA2838382,

    Thanks for the reply, we have some below suggestions for you, hope that works

    Review Permissions: Ensure that you have the necessary permissions granted to your Azure AD users. Check if the users involved have roles like Storage File Data Owner or Storage File Data Contributor, which are crucial for accessing the files properly.

    The identity used for Join-AzStorageAccount or Set-AzStorageAccount must have Storage Account Contributor and Directory Join permissions in Entra ID.

    Verify Synchronization: Since you mentioned syncing with an on-premises file server, confirm that the synchronization is happening correctly. If you're using Microsoft Entra Connect, make sure it is configured to synchronize password hashes.

    Use Correct Sign-in Format: When signing in or mapping the drives, try using the UPN format (i.e., ******@domain.com) rather than SAMAccountName

    As you mentioned storage account that has 3 shares that are also by synced with an on prem file server, please ensure your VM must be domain-joined to Microsoft Entra Domain Services. For more information about how to domain-join a VM, see Join a Windows Server virtual machine to a managed domain. Microsoft Entra Domain Services authentication over SMB with Azure file shares is supported only on Windows VMs running OS versions above Windows 7 or Windows Server 2008 R2, or on Linux VMs running Ubuntu 18.04+ or an equivalent RHEL or SLES VM.

    Reference link:https://learn.microsoft.com/en-us/azure/storage/files/storage-files-identity-auth-domain-services-enable?tabs=azure-portal

    DNS Configuration

    • The VNet linked to the storage account must use the AAD DS DNS servers. If DNS reverts to Azure default or custom DNS without the domain controllers, the Kerberos setup breaks. You can follow some of the below steps to verify
    1. Verify DNS Settings Ensure DNS servers point to AAD DS IPs. 
         PowerShell
   Get-AzVirtualNetwork -Name <VNetName> -ResourceGroupName <RGName>
    2. Re-run Join with Kerberos Key 
         PowerShell
   Join-AzStorageAccount `
   -ResourceGroupName <RGName> `
   -Name <StorageAccountName> `
   -DomainName <AADDSDomainName> `
   -OrganizationalUnit <OUPath> `
   -AccountType Computer

    3.Enable Azure Files AD DS Authentication

    PowerShell
Set-AzStorageAccount `
-ResourceGroupName <RGName> `
-Name <StorageAccountName> `
-EnableAzureActiveDirectoryDomainServicesForFile $true

    4.validate Kerberos Status

    PowerShell
Get-AzStorageAccount `
-ResourceGroupName <RGName> `
-Name <StorageAccountName> `
| Select-Object AzureFilesIdentityBasedAuthentication

    Hope, you find this comment helpful, if yes, please “up-vote” for the information provided , this can be beneficial to community members.

    Kindly let us know if you have any additional questions.

    Thanks

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.