A customer with a Windows Virtual Desktop deployment needed access to several file shares for one of their applications. The integration of Azure Storage Accounts with Active Directory allows us to provide this functionality without having to deploy and maintain file services on a virtual machine.
A sketch of the environment looks something like this:
Based on the sketch above, you should think about the requirements to make this work:
- Clients that access the file share need to be joined to a domain. This can be an Azure Active Directory Domain Services (AADDS) managed domain or just plain old Active Directory Domain Services (ADDS). The steps to integrate the storage account with AADDS or AADS are different as we will see later. I will only look at ADDS integration via a PowerShell script. In this case, the WVD virtual machines are joined to ADDS and domain controllers are available on Azure.
- Users that access the file share need to have an account in ADDS that is synced to Azure AD (AAD). This is required because users or groups are given share-level permissions at the storage account level to their AAD identity. The NTFS-level permissions are given to the ADDS identity. Since this is a Windows Virtual Desktop deployment, that is already the case.
- You should think about how the clients (WVD here) connect to the file share. If you only need access from Azure subnets, then VNET Service Endpoints are a good choice. This will configure direct routing to the storage account in the subnet’s route table and also provides the necessary security as public access to the storage account is blocked. You could also use Private Link or just access the storage account via public access. I do not recommend the latter so either use service endpoints or private link.
Configuring the integration
In the configuration of the storage account, you will see the following options:
Integration with AADDS is just a click on Enabled. For ADDS integration however, you need to follow another procedure from a virtual machine that is joined to the ADDS domain.
On that virtual machine, log on with an account that can create a computer object in ADDS in an OU that you set in the script. For best results, the account you use should be synced to AAD and should have at least the Contributor role on the storage account.
Next, download the Microsoft provided scripts from here and unzip them in a folder like C:\scripts. You should have the following scripts and modules in there:
Next, add a script to the folder with the following contents and replace the <PLACEHOLDERS>:
Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Scope CurrentUser
.\CopyToPSPath.ps1
Import-Module -Name AzFilesHybrid
Connect-AzAccount
$SubscriptionId = "<YOUR SUB ID>"
$ResourceGroupName = "<YOUR RESOURCE GROUP>"
$StorageAccountName = "<YOUR STORAGE ACCOUNT NAME>"
Select-AzSubscription -SubscriptionId $SubscriptionId
Join-AzStorageAccountForAuth `
-ResourceGroupName $ResourceGroupName `
-Name $StorageAccountName `
-DomainAccountType "ComputerAccount" `
-OrganizationalUnitName "<OU DISTINGUISHED NAME>
Debug-AzStorageAccountAuth -StorageAccountName $StorageAccountName -ResourceGroupName $ResourceGroupName -Verbose
Run the script from the C:\scripts folder so it can execute CopyToPSPath.ps1 and import the AzFilesHybrid module. The Join-AzStorageAccountForAuth cmdlet does the actual work. When you are asked to rerun the script, do so!
The result of the above script should be a computer account in the OU that you chose. The computer account has the name of the storage account.
In the storage account configuration, you should see the following:
Now we can proceed to granting “share-level” access rights, similar to share-level rights on a Windows file server.
Granting share-level access
Navigate to the file share and click IAM. You will see the following:
Use + Add to add AAD users or groups. You can use the following roles:
- Storage File Data SMB Share Reader: read access
- Storage File Data SMB Share Contributor: read, write and delete
- Storage File Data SMB Share Elevated Contributor: read, write and delete + modify ACLs at the NTFS level
For example, if I needed to grant read rights to the group APP_READERS in ADDS, I would grant the Storage File Data SMB Share Reader role to the APP_READERS group in Azure AD (synced from ADDS).
Like on a Windows File Server, share permissions are not sufficient. Let’s add some good old NTFS rights…
Granting NTFS Access Rights
For a smooth experience, log on to a domain-joined machine with an ADDS account that is synced to an AAD account that has at least the Contributor role on the storage account.
To grant the NTFS right, map a drive with the storage account key. Use the following command:
net use <desired-drive-letter>: \\<storage-account-name>.file.core.windows.net\<share-name> /user:Azure\<storage-account-name> <storage-account-key>
Get the storage account key from here:
Now you can open the mapped drive in Explorer and set NTFS rights. Alternatively, you can use icacls.exe or other tools.
Mapping the drive for users
Now that the storage account is integrated with ADDS, a user can log on to a domain-joined machine and mount the share without having to provide credentials. As long as the user has the necessary share and NTFS rights, she can access the data.
Mapping the drive can be done in many ways but a simple net use Z: \\storageaccountname.file.core.windows.net\share will suffice.
Securing the connection
You should configure the storage account in such a way that it only allows access from selected clients. In this case, because the clients are Windows Virtual Desktops in a specific Azure subnet, we can use Virtual Network Service Endpoints. They can be easily configured from Firewalls and Virtual Networks:
Granting access to specific subnets results in the configuration of virtual network service endpoints and a modification of the subnet route table with a direct route to the storage account on the Microsoft network. Note that you are still connecting to the public IP of the storage account.
If you decide to use Private Link instead, you would get a private IP in your subnet that is mapped to the storage account. In that case, even on-premises clients could connect to the storage account over the VPN or ExpressRoute private peerings. Of course, using private link would require extra DNS configuration as well.
Some extra notes
- when you cannot configure the integration with the PowerShell script, follow the steps to enable the integration manually; do not forget the set the Kerberos password properly
- it is recommended to put the AD computer accounts that represent the storage accounts in a separate OU; enable a Group Policy on that OU that prevents password resets on the computer accounts
Conclusion
Although there is some work to be done upfront and there are requirements such as Azure AD and Azure AD Connect, using an Azure Storage Account to host Active Directory integrated file shares is recommended. Remember that it works with both AADDS and ADDS. In this post, we looked at ADDS only and integration via the Microsoft-provided PowerShell scripts.
baeke.info 
Is it true that Azure Files (File Shares) with Azure AD DS integration can’t be mapped on a endpoint which is azure ad joined and running in a azure ad user context?
Well, I have not exactly run into that use case so I can’t answer that with certainty.
Hi Geert,
I have issues with asses denied, i have SMB Contributor on storage account aswell as NTFS rights on a folder under.
Is there a sync delay?
That should work. The user account with NTFS rights (domain\user) is synced to the AAD user that has SMB Contributor?
Aah, i hear your.
Reading your answer made me realise the AAD Group used to assign the RBAC roles is NOT synced to our on-premise AD.
Assigning the right directly to the user on the storage account resolved the issue immediatly.
But why is that? shouldnt Azure realise there are in this instance 5 on-prem users which are synced to AD and not look into the group?
Not exactly sure what the mechanics are behind this but it’s something we hit as well. It should work with an on-prem group that’s synced to AAD as well.
Hi Geert !
I have a storage account which is domain joined (AD DS)
When i´m mapping from a domain joined machine, it works. But if i try to map in a machine outside the domain, even with the correct credentials, an password error occurs. (System error 86. The specified network password is not correct).
Is it possible to map domain joined storage account into non domain joined computer ?
Yes, as long as you provide correct credentials to do the mapping. E.g. with a net use command, use /USER:domain\username …
Hi Geert,
In my tests, i’ve already tried to map it in 2 ways:
net use i: \\storagename.file.core.windows.net\share /user:”user@domain.onmicrosoft.com” “password”
net use i: \\storagename.file.core.windows.net\share /user:”domain\user” “password”
notes:
1: user@domain.onmicrosoft.com IS the UPN of the user in AD DS (I added domain.onmicrosoft.com as suffix) to match the login in Azure AD and AD DS UPN (i’m not using custom domain yet)
2: user@domain.onmicrosoft.com IS synced in AD Connect
3: if i use the (net use i: \\storagename.file.core.windows.net\share /user:”user@domain.onmicrosoft.com” “password”) in my Domain Controller for example, i can map the drive with the user permissions. But the same command in a machine that is NOT domain joined, i get the “System error 86, incorrect password). I tried to map with windows “map network drive”, still incorrect password.
I’m opened a support ticket at Microsoft. They said is NOT POSSIBLE map a domain Joined Storage Account in a machine that is not domain joined.
In your tests did you succeed in connecting a machine outside the domain to a storage account with AD DS credentials?
Thanks.
I think so, with specifying the user credentials. It is a while ago though. To be sure, I would have to recreate the scenario which is kind of a lengthy process. I don’t have access to a similar environment at this point in time…