Setup Azure File Share with Entra ID hybrid identities

I hear a lot of people that want to get rid of their traditional file server and don’t want to move to SharePoint for various reasons. As an alternative we can use Azure File Share with integrated Entra ID authentication. This manual contains al the information required to setup an Azure File Share and map the network drive’s.

image 29

Requirements:

  • Identities need to be Hybrid (a on-prem AD is required)
  • Windows 10/11 Pro/Enterprise and/or Server 2019 or later.

STEP 1: Create the an storage account

Go to the Azure Portal, and create a new resource.

image 28

On the new page from the Marketplace search for Storage Account

image 30

Now select or create a new Resource group, pick a name for your storage account, select a region and choose your performance tier and redundancy.

image 31

On the advanced tab, change settings according to your needs. For this manual I left all settings in the default position.

image 32

On the network tab, you can change the network access. I recommend to only allow access from networks that require access. When deployed, you can also choose to deploy an Private Endpoint for internal access to allow only connectivity via (client) VPN.

image 33

For this manual I left Dataprotection and Encryption to the default value’s, feel free to change them to your own requirements. Now create the fileshare.

image 34

STEP 2: Create the File share

From your new Storage account, go to File shares, and click on + File share

image 36

Now create a name for your file share, change the Tier to your needs:

  • Premium: Storage placed on SSD drives. High performance and low latency
  • Transaction optimized: Storage placed on Spinning hard drives.
  • Hot: Storage placed on HDD drives, slower but cheaper than transaction optimized.
  • Cool: Cheapest option on HDD drives, slower than hot tier, used for infrequently used files.
image 37

Create your fileshare on the review tab.

STEP 3: Configure Access controll

Now go back to File shares. From the new page click on the Not configured link after Identity-based access.

image 35

On the new page click on the Set up link in the Microsoft Entra Kerberos box. On the new slide make sure to select the checkbox with Microsoft Entra Kerberos. Click Save when ready. This will update your fileshare, and will take a few seconds.

image 38

Now choose what you want to do with the permissions. you can either choose to grant permissions to all authenticated users, or leave the permissions to default disabled.

To assign permissions using the role assignment blade after this wizards completes, or when selecting permissions in this view, select one of the following roles. Important, if you want to use groups to assign permissions, these groups need to be created in the on-prem AD and synced to Entra ID!

  1. Storage File Data SMB Share Reader
  2. Storage File Data SMB Share Contributor
  3. Storage File Data SMB Share Elevated Contributor
image 42

For this manual I just granted all users Contributor access.

image 39

STEP 4: Grant admin consent to new service principal

Before the authentication can work, we will need to grant the auto-generated Microsoft Entra Application admin consent. This application is not used for authorization to the fileshare. Don’t make any changes to this application, or the authentication on the fileshare might not work.

Go to Microsoft Entra ID, App registrations.

image 41

Go to All applications, and select the application with the name matching [Storage Account] storageaccountname. See the image below as an example

image 43

From the API permissions page make sure to click on Grant admin cnosent for <Entra Environment name>

image 44

If you’re connecting to a storage account via a private endpoint/private link using Microsoft Entra Kerberos authentication, you’ll also need to add the private link FQDN to the storage account’s Microsoft Entra application. For instructions, see the entry in the Microsft troubleshooting guide.

Microsoft Entra Kerberos doesn’t support using MFA to access Azure file shares configured with Microsoft Entra Kerberos. You must exclude the Microsoft Entra app representing your storage account from your MFA conditional access policies if they apply to all apps.

Optional: Go to Microsoft Entra ID Conditional Access Policies

image 46

The storage account app should have the same name as the storage account in the conditional access exclusion list. When searching for the storage account app in the conditional access exclusion list, search for: [Storage Account] storageaccountname

image 45

While you have to disable MFA for fileshare access. You could create a Conditional Access policy to only grant access from Trusted devices.

STEP 6: Configure the clients to retrieve Kerberos tickets using intune

By default clients don’t retrieve kerberos tickets for the authentication to take place. So we will need to enable the retrieval of kerberos tickets.

Go to the intune portal, go to devices, configuration profiles and click on + Create Profile

Select Templates with the Profile Type and select a Custom template name

image 50

Give your new configuration profile a logical name, and click next.

image 51

On the Configurations tab click on Add.

image 52

Next step is to create the OMA-URI setting.

  • Name: Provide a logical name for the OMA-URI setting to distinguish it from other similar settings.
  • Description: (Optional) Provide a description for the OMA-URI setting
  • OMA-URI: Specify the value: ./Device/Vendor/MSFT/Policy/Config/Kerberos/CloudKerberosTicketRetrievalEnabled
  • Data type: Select Integer as value
  • Value: Specify 1 as value
image 53

On the next tab we will need to assign the setting. Either choose a group, but if it is a company wide share you might want to add all devices

image 54

Review the settings and finalize the configuration profile.

image 55

Once completed, we can now test (and deploy a drive mapping using the following manual: Create a drive mapping using Intune on Azure AD joined devices (Manual) | 2 Azure)

Easiest step to test your setup is to copy the script from the Storage Account, File Share page.

image 56

The result should look like this, and there should be no authentication prompt.

image 47

Troubleshooting (possible errors)

Unable to reach the Azure storage account via port 445. Check to make sure your organization or ISP is not blocking port 445, or use Azure P2S VPN, Azure S2S VPN, or Express Route to tunnel SMB traffic over a different port.

If you get the above error, your provider might be blocking outgoing port 445 to the internet. Try using a Full VPN tunnel to the Office or another provider to get access to this port. Run a simple test to your own fileshare like the command below.

image 57

The system cannot contact a domain controller to service the authentication request

If you forget step 4, this might happen. Go back to step 4 and try again.

image 40

System error 1327

“System error 1327: Account restrictions are preventing this user from signing in. For example: blank passwords aren’t allowed, sign-in times are limited, or a policy restriction has been enforced.” Go to step 5 and make sure that MFA is disabled for the storage account

More information:

Enable admin-level read and write access to Azure file shares using Microsoft Entra ID with Azure Files OAuth over REST | Microsoft Learn

Kerberos Policy CSP – Windows Client Management | Microsoft Learn

Policy CSP – Windows Client Management | Microsoft Learn

Add a Comment

Your email address will not be published. Required fields are marked *