Setup Azure File Share with AD authentication (Manual)

With the traditional file server coming to a end, it is time to move along with Azure File Share and AD authentication.

This image has an empty alt attribute; its file name is image-1.png


STEP 1: First, let’s create a new storage account

Important: Make sure your storage account name is no longer than 15 characters!

STEP 2: Select from where you want to allow access to the share. As this share is only working with an active connection to a domain controller, it might make sense to only allow office locations. For this demo we allowed all, as I am using Always-On VPN with split tunneling, I need it to work from any location.

STEP 3: Make sure Secure transfer is required is set to Enabled. Leave the rest to default.

STEP 4: Last, review your configuration and press create

STEP 5: Once deployed, go to your newly create resource by clicking on Go to resource.

STEP 6: Next create a new File share, for the demo we call it shareddrive

STEP 7: Download the from github and extract them to a location you like. (

STEP 8: Open PowerShell with Administrator privileges. Go to the path where you extracted your files. and run the following commands

Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Scope CurrentUser

Now run the following command


STEP 9: Now it is time to import the Azure Files Hybrid module. Run the following command:

Import-Module -name AzFilesHybrid

It might be that an update is required. If so, first update the PowerShellGet part. You will get errors in the end, close the PowerShell window when completed and rerun the import command

Run the command again:

Import-Module -name AzFilesHybrid

STEP 10: Connect to Azure with an Global adminstrator and subscription Admin.


Result should look like this:

STEP 11: Now make sure that we select the same subscription as where your storage account resides

Select-AzSubscription -SubscriptionName "<SUBSCRIPTION NAME>"

Note: We need to run these commands from a computer/server that is part – joined to the Active Directory (AD) domain. It takes over the rights from the user that is logged which is running the PowerShell session so the user needs to have the domain administrator / delegated rights for that in place. It does not have to be a domain controller, but the command is using the ActiveDirectory PoSH module, so running it from a domain controller could be easier.

Note: The OU (friendly) name (not DN) is where the computer account to provide the LDAP connect is stored in. Make sure that the permissions on the OU level are correct. You can leave this empty – the computer account will then be created in the Root directly under your domain (not the computers OU).

STEP 12: Now we run the following command, get the information from step 4

join-AzStorageaccountForAuth -ResourceGroupName "<resource group name>" -Name "<storage account name>" -DomainAccountType "ComputerAccount" -OrganizationalUnitName "<OU Friendly name>"

The account should now be visible in AD.

STEP 13: Let’s review the status of the activation, you should see a screen that looks like below with your domain name to it.

STEP 14: Now it is time to grant access to AD joined people to the share. This is simular to the Share feature in Windows.

There are 3 roles to provision:

  • Storage File Data SMB Share Elevated Contributor (Full Access)
  • Storage File Data SMB Share Contributor (Read + Write)
  • Storage File Data SMB Share Reader (Read)

Make sure to grant your admin account that will set NTFS permissions the role for Elevated contributor.

STEP 15: Map and test the share. I’ve created 2 folders with different NTFS permissions. Although it might be obvious, make sure that there is an active connection with a domain controller, and test and map the drive on a domain joined machine.

Add a Comment

Your email address will not be published. Required fields are marked *