The management of file servers in VMs has always been a pain. Whether migration between file servers or implementation of replication with DFS-R, all these tasks are complex. Today thanks to Azure, you can implement a file server without using a single VM. So you don’t need anymore to handle the migration between file servers (for example operating system upgrade) or to implement HA and replication mechanism.

To implement a file server in Azure in PaaS mode you need the following:

  • An Azure Active Directory (synchronized with AAD Connect or not)
  • An Azure Active Directory Domain Services (AADDS)
  • Storage accounts

As a classic file server, you have two kinds of permissions: the share and NTFS. The share permissions are manageable from the Azure Portal with identity in AAD. However, for NTFS permissions you need a Kerberos ticket. AAD is not able to handle Kerberos or NTLM. This is why we need AADDS.

AADDS is easy to deploy: you just have to open the marketplace and look for Azure Active Directory Domain Service. When the service is deployed, it looks like this:

Azure Active Directory Domain Service

Now you have your Azure Active Directory and AADDS, you just need to configure a Storage Account.

Deploy the Storage Account

To create a storage account, navigate to the marketplace and look for Storage Account. Specify a name for the storage account, specify a location and a replication. Then choose a Storage v2 account kind.

Storage v2 account kind

Then choose your connectivity method. You can connect to your storage account from anywhere or configure a private endpoint to limit the connections from a specific virtual network.

Connectivity method

Be sure the Security option is enabled to encrypt SMB3 traffic.

Security option is enabled

Once the storage account is created, be sure in the configuration that Identity-Based access for file servers is enabled.

Identity-Based access for file servers

Create the file share and set permissions

To create the file share, click on File Shares in the overview tab of the storage account.

File Shares in the overview

Then click on Add File share and create your file share.

Add File share - img

To assign file share permissions, click on your file share and select Access control (IAM). Then click on Add role assignment.

Access control (IAM)

Three kind of SMB permissions exist in Azure:

  • Storage File Data SMB Share Elevated Contributor
    Permissions to read, write, modify and change NTFS permissions
  • Storage File Data SMB Share Contributor
    Permissions to read, write and modify
  • Storage File Data SMB Share Reader
    Permission to read

The following screenshots present who I set permissions on two different users. Obviously, in real world I recommend you to use the group to apply permissions.

Permissions on two different users Add role assidntment

Configure NTFS permissions

To apply the first permissions, we need to mount the share is access key. So grab the access key from Access Keys tab in storage account settings.

Access Keys Access Keys tab in storage account settings

Now connect to a computer that have access to the storage account and run the following command:

Now you can edit permissions from Windows Explorer if you wish. The following screenshot shows you the permissions from the Windows Explorer. Now you can dismount the share.

Permissions from the Windows Explorer.

VSAN from StarWind eliminates any need for physical shared storage just by mirroring internal flash and storage resources between hypervisor servers. Furthermore, the solution can be run on the off-the-shelf hardware. Such design allows VSAN from StarWind to not only achieve high performance and efficient hardware utilization but also reduce operational and capital expenses.
Find out more about ➡ VSAN from StarWind

Final result

Now you can mount the network drive from windows explorer without specifying your credentials if you are authenticated with a user that has right on the Azure File share.

Map network drive

I try to create a file in the share and … my god it’s working !!!! 😊

Create a file in the share

If you open the Azure File share from Azure Portal, you should see your files. Azure Portal


Thanks to Azure, you are now able to create a file server without using a single VM and fully in PaaS mode. It’s an excellent use case for Hybrid Cloud scenario. If you need some cache servers, you can next leverage Azure File Sync.

Views All Time
Views Today
Appreciate how useful this article was to you?
No Ratings Yet
Back to blog
The following two tabs change content below.
Romain Serre
Romain Serre
Senior consultant at Exakis
Romain Serre works in Lyon as a Senior Consultant. He is focused on Microsoft Technology, especially on Hyper-V, System Center, Storage, networking and Cloud OS technology as Microsoft Azure or Azure Stack. He is a MVP and he is certified Microsoft Certified Solution Expert (MCSE Server Infrastructure & Private Cloud), on Hyper-V and on Microsoft Azure (Implementing a Microsoft Azure Solution).