Setup Azure File Share with Entra ID hybrid identities
Posted On October 30, 2023
I hear a lot of people that want to get rid of their traditional file server and don’t want to move to SharePoint for various reasons. As an alternative we can use Azure File Share with integrated Entra ID authentication. This manual contains al the information required to setup an Azure File Share and map the network drive’s.
Identities need to be Hybrid (a on-prem AD is required)
Windows 10/11 Pro/Enterprise and/or Server 2019 or later.
On the new page from the Marketplace search for Storage Account
Now select or create a new Resource group, pick a name for your storage account, select a region and choose your performance tier and redundancy.
On the advanced tab, change settings according to your needs. For this manual I left all settings in the default position.
On the network tab, you can change the network access. I recommend to only allow access from networks that require access. When deployed, you can also choose to deploy an Private Endpoint for internal access to allow only connectivity via (client) VPN.
For this manual I left Dataprotection and Encryption to the default value’s, feel free to change them to your own requirements. Now create the fileshare.
STEP 2: Create the File share
From your new Storage account, go to File shares, and click on + File share
Now create a name for your file share, change the Tier to your needs:
Premium: Storage placed on SSD drives. High performance and low latency
Transaction optimized: Storage placed on Spinning hard drives.
Hot: Storage placed on HDD drives, slower but cheaper than transaction optimized.
Cool: Cheapest option on HDD drives, slower than hot tier, used for infrequently used files.
Create your fileshare on the review tab.
STEP 3: Configure Access controll
Now go back to File shares. From the new page click on the Not configured link after Identity-based access.
On the new page click on the Set up link in the Microsoft Entra Kerberos box. On the new slide make sure to select the checkbox with Microsoft Entra Kerberos. Click Save when ready. This will update your fileshare, and will take a few seconds.
Now choose what you want to do with the permissions. you can either choose to grant permissions to all authenticated users, or leave the permissions to default disabled.
To assign permissions using the role assignment blade after this wizards completes, or when selecting permissions in this view, select one of the following roles. Important, if you want to use groups to assign permissions, these groups need to be created in the on-prem AD and synced to Entra ID!
Storage File Data SMB Share Reader
Storage File Data SMB Share Contributor
Storage File Data SMB Share Elevated Contributor
For this manual I just granted all users Contributor access.
STEP 4: Grant admin consent to new service principal
Before the authentication can work, we will need to grant the auto-generated Microsoft Entra Application admin consent. This application is not used for authorization to the fileshare. Don’t make any changes to this application, or the authentication on the fileshare might not work.
Go to Microsoft Entra ID, App registrations.
Go to All applications, and select the application with the name matching [Storage Account] storageaccountname. See the image below as an example
From the API permissions page make sure to click on Grant admin cnosent for <Entra Environment name>
If you’re connecting to a storage account via a private endpoint/private link using Microsoft Entra Kerberos authentication, you’ll also need to add the private link FQDN to the storage account’s Microsoft Entra application. For instructions, see the entry in the Microsft troubleshooting guide.
Microsoft Entra Kerberos doesn’t support using MFA to access Azure file shares configured with Microsoft Entra Kerberos. You must exclude the Microsoft Entra app representing your storage account from your MFA conditional access policies if they apply to all apps.
Optional: Go to Microsoft Entra ID Conditional Access Policies
The storage account app should have the same name as the storage account in the conditional access exclusion list. When searching for the storage account app in the conditional access exclusion list, search for: [Storage Account] storageaccountname
While you have to disable MFA for fileshare access. You could create a Conditional Access policy to only grant access from Trusted devices.
STEP 6: Configure the clients to retrieve Kerberos ticketsusing intune
By default clients don’t retrieve kerberos tickets for the authentication to take place. So we will need to enable the retrieval of kerberos tickets.
Go to the intune portal, go to devices, configuration profiles and click on + Create Profile
Select Templates with the Profile Type and select a Custom template name
Give your new configuration profile a logical name, and click next.
On the Configurations tab click on Add.
Next step is to create the OMA-URI setting.
Name: Provide a logical name for the OMA-URI setting to distinguish it from other similar settings.
Description: (Optional) Provide a description for the OMA-URI setting
OMA-URI: Specify the value: ./Device/Vendor/MSFT/Policy/Config/Kerberos/CloudKerberosTicketRetrievalEnabled
Data type: Select Integer as value
Value: Specify 1 as value
On the next tab we will need to assign the setting. Either choose a group, but if it is a company wide share you might want to add all devices
Review the settings and finalize the configuration profile.
Easiest step to test your setup is to copy the script from the Storage Account, File Share page.
The result should look like this, and there should be no authentication prompt.
Troubleshooting (possible errors)
Unable to reach the Azure storage account via port 445. Check to make sure your organization or ISP is not blocking port 445, or use Azure P2S VPN, Azure S2S VPN, or Express Route to tunnel SMB traffic over a different port.
If you get the above error, your provider might be blocking outgoing port 445 to the internet. Try using a Full VPN tunnel to the Office or another provider to get access to this port. Run a simple test to your own fileshare like the command below.
The system cannot contact a domain controller to service the authentication request
If you forget step 4, this might happen. Go back to step 4 and try again.
System error 1327
“System error 1327: Account restrictions are preventing this user from signing in. For example: blank passwords aren’t allowed, sign-in times are limited, or a policy restriction has been enforced.” Go to step 5 and make sure that MFA is disabled for the storage account