Since a few weeks, Microsoft allows to use Active Directory to deliver Kerberos and NTLM tokens for Azure Files. When I say Active Directory, I mean your On-Premises Active Directory. Obviously, you need a Site-to-Site VPN between your On-Premises infrastructure and Azure. You need also Azure Active Directory to manage Azure Files SMB permissions so Azure AD Connect is a requirement.

The advantage of using Active Directory authentication over SMB for Azure file shares is that you can set NTFS permissions with your own groups or users. That enables you to migrate your On-Premises file servers to Azure files and get access to your company data from everywhere. In addition, Azure File Sync is supported with this kind of configuration to add some cache servers in the branch office for example. One other use case of that configuration is the profile repository for Windows Virtual Desktop and FSLogix.

In this topic, I’ll show you how to implement this configuration by integrating the storage account in your Active Directory.


To follow this topic, you need the following:

  • An Active Directory synchronized with Azure Active Directory through Azure AD Connect. In this topic I use my On-Premises Active Directory that is reachable through a Site-to-Site VPN.

Create the storage account

First, you need to create a storage account. To create it, navigate to the marketplace and look for Storage account. Then specify the following settings:

Storage account

Add the Storage Account to Active Directory

Download AZFilesHybrid module from this URL. Then extract it for example in c:\temp\azfileshybrid. Then install Azure PowerShell modules by running the following cmdlet:

The following screenshot shows my configuration:


Once the script is finished, you can check if your storage account is added to the Active Directory.

Remote Desktop

Now you need to run the following script to enable the feature on the storage account:

To get Active Directory information you can run the following command:


To get the Storage Account SID, run the following cmdlet:

Storage Account SID

The following screenshot shows my configuration:


Finally run the following script to validate your configuration:

The following screenshot shows the result of the above script:

The result of the above script

If you go in the storage account configuration tab from the Azure Portal, you should see that the storage account is integrated in Active Directory.

Active Directory configuration

Create a share and assign permissions

First create a file share. I called mine mydata.

Create a share and assign permissions

Then navigate in the file share and navigate to Access Control (IAM). Then select add role assignment.

Access Control (IAM)

Three roles exist:

  • Storage File Data SMB Share Contributor: permissions to read, write and modify
  • Storage File Data SMB Share Elevated Constributor: permissions to read, write, modify and manage NTFS permissions
  • Storage File Data SMB Share Reader: permission to read.

Three roles exist

Select the appropriate role and assign these SMB permissions to a group or a user (I prefer a group 😊). This is why you need an Active Directory synchronized with Azure Active Directory.

Select the appropriate role and assign

Now from the Windows Explorer, map a network drive by specifying the following SMB path:


P.S: You can use a private endpoint if you don’t want your storage account accessible from anywhere.

Map Network Drive

Now you can set NTFS permissions from the Windows Explorer.

Set NTFS permissions

As you can see, you can add groups or users from your On-Premises Active Directory. Just don’t forget to set SMB permissions from Azure Portal.

Add groups or users from your On-Premises Active Directory

VSAN from StarWind eliminates any need for physical shared storage just by mirroring internal flash and storage resources between hypervisor servers. Furthermore, the solution can be run on the off-the-shelf hardware. Such design allows VSAN from StarWind to not only achieve high performance and efficient hardware utilization but also reduce operational and capital expenses.
Find out more about ➡ VSAN from StarWind

Now you can create your file trees.

Create your file trees

And this file trees is accessible and visible from the Azure Portal.

Azure Portal

Views All Time
Views Today
Back to blog
The following two tabs change content below.
Romain Serre
Romain Serre
Senior consultant at Exakis
Romain Serre works in Lyon as a Senior Consultant. He is focused on Microsoft Technology, especially on Hyper-V, System Center, Storage, networking and Cloud OS technology as Microsoft Azure or Azure Stack. He is a MVP and he is certified Microsoft Certified Solution Expert (MCSE Server Infrastructure & Private Cloud), on Hyper-V and on Microsoft Azure (Implementing a Microsoft Azure Solution).