A customer with a Windows Virtual Desktop deployment needed access to several file shares for one of their applications. The integration of Azure Storage Accounts with Active Directory allows us to provide this functionality without having to deploy and maintain file services on a virtual machine.
A sketch of the environment looks something like this:
Based on the sketch above, you should think about the requirements to make this work:
- Clients that access the file share need to be joined to a domain. This can be an Azure Active Directory Domain Services (AADDS) managed domain or just plain old Active Directory Domain Services (ADDS). The steps to integrate the storage account with AADDS or AADS are different as we will see later. I will only look at ADDS integration via a PowerShell script. In this case, the WVD virtual machines are joined to ADDS and domain controllers are available on Azure.
- Users that access the file share need to have an account in ADDS that is synced to Azure AD (AAD). This is required because users or groups are given share-level permissions at the storage account level to their AAD identity. The NTFS-level permissions are given to the ADDS identity. Since this is a Windows Virtual Desktop deployment, that is already the case.
- You should think about how the clients (WVD here) connect to the file share. If you only need access from Azure subnets, then VNET Service Endpoints are a good choice. This will configure direct routing to the storage account in the subnet’s route table and also provides the necessary security as public access to the storage account is blocked. You could also use Private Link or just access the storage account via public access. I do not recommend the latter so either use service endpoints or private link.
Configuring the integration
In the configuration of the storage account, you will see the following options:
Integration with AADDS is just a click on Enabled. For ADDS integration however, you need to follow another procedure from a virtual machine that is joined to the ADDS domain.
On that virtual machine, log on with an account that can create a computer object in ADDS in an OU that you set in the script. For best results, the account you use should be synced to AAD and should have at least the Contributor role on the storage account.
Next, download the Microsoft provided scripts from here and unzip them in a folder like C:\scripts. You should have the following scripts and modules in there:
Next, add a script to the folder with the following contents and replace the <PLACEHOLDERS>:
Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Scope CurrentUser .\CopyToPSPath.ps1 Import-Module -Name AzFilesHybrid Connect-AzAccount $SubscriptionId = "<YOUR SUB ID>" $ResourceGroupName = "<YOUR RESOURCE GROUP>" $StorageAccountName = "<YOUR STORAGE ACCOUNT NAME>" Select-AzSubscription -SubscriptionId $SubscriptionId Join-AzStorageAccountForAuth ` -ResourceGroupName $ResourceGroupName ` -Name $StorageAccountName ` -DomainAccountType "ComputerAccount" ` -OrganizationalUnitName "<OU DISTINGUISHED NAME> Debug-AzStorageAccountAuth -StorageAccountName $StorageAccountName -ResourceGroupName $ResourceGroupName -Verbose
Run the script from the C:\scripts folder so it can execute CopyToPSPath.ps1 and import the AzFilesHybrid module. The Join-AzStorageAccountForAuth cmdlet does the actual work. When you are asked to rerun the script, do so!
The result of the above script should be a computer account in the OU that you chose. The computer account has the name of the storage account.
In the storage account configuration, you should see the following:
Now we can proceed to granting “share-level” access rights, similar to share-level rights on a Windows file server.
Granting share-level access
Navigate to the file share and click IAM. You will see the following:
Use + Add to add AAD users or groups. You can use the following roles:
- Storage File Data SMB Share Reader: read access
- Storage File Data SMB Share Contributor: read, write and delete
- Storage File Data SMB Share Elevated Contributor: read, write and delete + modify ACLs at the NTFS level
For example, if I needed to grant read rights to the group APP_READERS in ADDS, I would grant the Storage File Data SMB Share Reader role to the APP_READERS group in Azure AD (synced from ADDS).
Like on a Windows File Server, share permissions are not sufficient. Let’s add some good old NTFS rights…
Granting NTFS Access Rights
For a smooth experience, log on to a domain-joined machine with an ADDS account that is synced to an AAD account that has at least the Contributor role on the storage account.
To grant the NTFS right, map a drive with the storage account key. Use the following command:
net use <desired-drive-letter>: \\<storage-account-name>.file.core.windows.net\<share-name> /user:Azure\<storage-account-name> <storage-account-key>
Get the storage account key from here:
Now you can open the mapped drive in Explorer and set NTFS rights. Alternatively, you can use icacls.exe or other tools.
Mapping the drive for users
Now that the storage account is integrated with ADDS, a user can log on to a domain-joined machine and mount the share without having to provide credentials. As long as the user has the necessary share and NTFS rights, she can access the data.
Mapping the drive can be done in many ways but a simple net use Z: \\storageaccountname.file.core.windows.net\share will suffice.
Securing the connection
You should configure the storage account in such a way that it only allows access from selected clients. In this case, because the clients are Windows Virtual Desktops in a specific Azure subnet, we can use Virtual Network Service Endpoints. They can be easily configured from Firewalls and Virtual Networks:
Granting access to specific subnets results in the configuration of virtual network service endpoints and a modification of the subnet route table with a direct route to the storage account on the Microsoft network. Note that you are still connecting to the public IP of the storage account.
If you decide to use Private Link instead, you would get a private IP in your subnet that is mapped to the storage account. In that case, even on-premises clients could connect to the storage account over the VPN or ExpressRoute private peerings. Of course, using private link would require extra DNS configuration as well.
Some extra notes
- when you cannot configure the integration with the PowerShell script, follow the steps to enable the integration manually; do not forget the set the Kerberos password properly
- it is recommended to put the AD computer accounts that represent the storage accounts in a separate OU; enable a Group Policy on that OU that prevents password resets on the computer accounts
Although there is some work to be done upfront and there are requirements such as Azure AD and Azure AD Connect, using an Azure Storage Account to host Active Directory integrated file shares is recommended. Remember that it works with both AADDS and ADDS. In this post, we looked at ADDS only and integration via the Microsoft-provided PowerShell scripts.