Since a few weeks, Microsoft allows to use Active Directory to deliver Kerberos and NTLM tokens for Azure Files. When I say Active Directory, I mean your On-Premises Active Directory. Obviously, you need a Site-to-Site VPN between your On-Premises infrastructure and Azure. You need also Azure Active Directory to manage Azure Files SMB permissions so Azure AD Connect is a requirement.

The advantage of using Active Directory authentication over SMB for Azure file shares is that you can set NTFS permissions with your own groups or users. That enables you to migrate your On-Premises file servers to Azure files and get access to your company data from everywhere. In addition, Azure File Sync is supported with this kind of configuration to add some cache servers in the branch office for example. One other use case of that configuration is the profile repository for Windows Virtual Desktop and FSLogix.

In this topic, I’ll show you how to implement this configuration by integrating the storage account in your Active Directory.

Requirements

To follow this topic, you need the following:

  • An Active Directory synchronized with Azure Active Directory through Azure AD Connect. In this topic I use my On-Premises Active Directory that is reachable through a Site-to-Site VPN.

Create the storage account

First, you need to create a storage account. To create it, navigate to the marketplace and look for Storage account. Then specify the following settings:

Storage account

Add the Storage Account to Active Directory

Download AZFilesHybrid module from this URL. Then extract it for example in c:\temp\azfileshybrid. Then install Azure PowerShell modules by running the following cmdlet:

The following screenshot shows my configuration:

wp-image-14371

Once the script is finished, you can check if your storage account is added to the Active Directory.

Remote Desktop

Now you need to run the following script to enable the feature on the storage account:

To get Active Directory information you can run the following command:

Get-ADDomain

To get the Storage Account SID, run the following cmdlet:

Storage Account SID

The following screenshot shows my configuration:

Configuration

Finally run the following script to validate your configuration:

The following screenshot shows the result of the above script:

The result of the above script

If you go in the storage account configuration tab from the Azure Portal, you should see that the storage account is integrated in Active Directory.

Active Directory configuration

Create a share and assign permissions

First create a file share. I called mine mydata.

Create a share and assign permissions

Then navigate in the file share and navigate to Access Control (IAM). Then select add role assignment.

Access Control (IAM)

Three roles exist:

  • Storage File Data SMB Share Contributor: permissions to read, write and modify
  • Storage File Data SMB Share Elevated Constributor: permissions to read, write, modify and manage NTFS permissions
  • Storage File Data SMB Share Reader: permission to read.

Three roles exist

Select the appropriate role and assign these SMB permissions to a group or a user (I prefer a group 😊). This is why you need an Active Directory synchronized with Azure Active Directory.

Select the appropriate role and assign

Now from the Windows Explorer, map a network drive by specifying the following SMB path:

\\<StorageAccount>.file.core.windows.net\<ShareName>.

P.S: You can use a private endpoint if you don’t want your storage account accessible from anywhere.

Map Network Drive

Now you can set NTFS permissions from the Windows Explorer.

Set NTFS permissions

As you can see, you can add groups or users from your On-Premises Active Directory. Just don’t forget to set SMB permissions from Azure Portal.

Add groups or users from your On-Premises Active Directory

VSAN from StarWind is software-defined storage (SDS) solution created with restricted budgets and maximum output in mind. It pulls close to 100% of IOPS from existing hardware, ensures high uptime and fault tolerance starting with just two nodes. StarWind VSAN is hypervisor and hardware agnostic, allowing you to forget about hardware restrictions and crazy expensive physical shared storage.

Build your infrastructure with off-the-shelf hardware, scale however you like, increase return on investment (ROI) and enjoy Enterprise-grade virtualization features and benefits at SMB price today!


Now you can create your file trees.

Create your file trees

And this file trees is accessible and visible from the Azure Portal.

Azure Portal

Back to blog