Edit

Share via

Overview: On-premises Active Directory Domain Services authentication over SMB for Azure file shares

Applies to: ✔️ SMB Azure file shares

Azure Files supports identity-based authentication for Windows file shares over Server Message Block (SMB) using the Kerberos authentication protocol through the following methods:

  • On-premises Active Directory Domain Services (AD DS)
  • Microsoft Entra Domain Services
  • Microsoft Entra Kerberos for hybrid user identities

We strongly recommend that you review the How it works section to select the right AD source for authentication. The setup is different depending on the domain service you choose. This article focuses on enabling and configuring on-premises AD DS for authentication with Azure file shares.

If you're new to Azure Files, we recommend reading the planning guide.

Supported scenarios and restrictions

  • To use identity-based authentication with Azure Files, share-level RBAC permissions must be assigned. You can do this in two ways:
    • Default share-level permission: This option applies RBAC at the share level for all authenticated users. With this configuration, you don't need to sync your on-premises AD DS identities to Microsoft Entra ID.
    • Granular share-level permissions: If you want to assign RBAC at the share level to specific users or groups, the corresponding identities must be synchronized from your on-premises AD DS to Microsoft Entra ID using Microsoft Entra Connect or Microsoft Entra Cloud Sync. Groups created only in Microsoft Entra ID won't work unless they contain synced user accounts. Password hash synchronization isn't required.
  • Client OS requirements: Windows 8 / Windows Server 2012 or later, or Linux VMs such as Ubuntu 18.04+ and equivalent RHEL/SLES distributions.
  • You can manage Azure file shares with Azure File Sync.
  • Kerberos authentication is available with Active Directory using AES 256 encryption (recommended) and RC4-HMAC. AES 128 Kerberos encryption isn't yet supported.
  • Single sign-on (SSO) is supported.
  • By default, access is limited to the Active Directory forest where the storage account is registered. Users from any domain in that forest can access the file share contents, provided they have the appropriate permissions. To enable access from additional forests, you must configure a forest trust. For details, see Use Azure Files with multiple Active Directory forests.
  • Identity-based authentication isn't currently supported for NFS file shares.

When you enable AD DS for Azure file shares over SMB, your AD DS-joined machines can mount Azure file shares using your existing AD DS credentials. You can host the AD DS environment either on-premises or on a virtual machine (VM) in Azure.

Videos

To help you set up identity-based authentication for common use cases, we published two videos with step-by-step guidance for the following scenarios. Note that Azure Active Directory is now Microsoft Entra ID. For more info, see New name for Azure AD.

Replace on-premises file servers with Azure Files (including setup on private link for files and AD authentication) Use Azure Files as the profile container for Azure Virtual Desktop (including setup on AD authentication and FSLogix configuration)
Screencast of the replacing on-premises file servers video - click to play. Screencast of the Using Azure Files as the profile container video - click to play.

Prerequisites

Before you enable AD DS authentication for Azure file shares, make sure you complete the following prerequisites:

  • Select or create your AD DS environment and sync it to Microsoft Entra ID using either the on-premises Microsoft Entra Connect Sync application or Microsoft Entra Connect cloud sync, a lightweight agent that you can install from the Microsoft Entra Admin Center.

    You can enable the feature on a new or existing on-premises AD DS environment. Identities used for access must be synced to Microsoft Entra ID or use a default share-level permission. The Microsoft Entra tenant and the file share that you're accessing must be associated with the same subscription.

  • Domain-join an on-premises machine or an Azure VM to on-premises AD DS. For information about how to domain-join, see Join a Computer to a Domain.

    If a machine isn't domain joined, you can still use AD DS for authentication if the machine has unimpeded network connectivity to the on-premises AD domain controller and the user provides explicit credentials. For more information, see Mount the file share from a non-domain-joined VM or a VM joined to a different AD domain.

  • Select or create an Azure storage account. For optimal performance, we recommend that you deploy the storage account in the same region as the client from which you plan to access the share.

    Make sure that the storage account containing your file shares isn't already configured for identity-based authentication. If an AD source is already enabled on the storage account, you must disable it before enabling on-premises AD DS.

    If you experience issues in connecting to Azure Files, see troubleshoot Azure Files mounting errors on Windows.

  • If you plan to enable any networking configurations on your file share, we recommend you read the networking considerations article and complete the related configuration before enabling AD DS authentication.

Regional availability

You can use Azure Files authentication with AD DS in all Azure Public, China, and Gov regions.

Overview

When you enable AD DS authentication for your Azure file shares, you can use your on-premises AD DS credentials to authenticate to your Azure file shares. You can also manage your permissions to allow granular access control. To set up authentication, sync identities from on-premises AD DS to Microsoft Entra ID by using either the on-premises Microsoft Entra Connect Sync application or Microsoft Entra Connect cloud sync, a lightweight agent that you can install from the Microsoft Entra Admin Center. Assign share-level permissions to hybrid identities synced to Microsoft Entra ID, and manage file and directory-level access using Windows ACLs.

Follow these steps to set up Azure Files for AD DS authentication:

  1. Enable AD DS authentication on your storage account

  2. Assign share-level permissions to the Microsoft Entra identity (a user, group, or service principal) that syncs with the target AD identity

  3. Configure Windows ACLs over SMB for directories and files

  4. Mount an Azure file share to a VM joined to your AD DS

  5. Update the password of your storage account identity in AD DS

The following diagram illustrates the end-to-end workflow for enabling AD DS authentication over SMB for Azure file shares.

Diagram showing AD DS authentication over SMB for Azure Files workflow.

To enforce share-level file permissions through the Azure role-based access control (Azure RBAC) model, identities used to access Azure file shares must be synced to Microsoft Entra ID. Alternatively, you can use a default share-level permission. Windows-style DACLs on files and directories carried over from existing file servers are preserved and enforced. This setup offers seamless integration with your enterprise AD DS environment. As you replace on-premises file servers with Azure file shares, existing users can access Azure file shares from their current clients with a single sign-on experience, without any change to the credentials in use.

Next step

To get started, enable AD DS authentication for your storage account.

  • Last updated on