Azure Files SMB Access with Windows AD

Great video Travis, very well done video. Your cadence and thoughtful presentations make configuring these services a snap.

My Company has just started using Azure and I have gone through some of your videos. I can`t thank you enough for making these videos. they are the best, very helpful and very educational

man, I am starting my journey in IT and I just started on july this year with Azure, so I have a lot to learn, I want to thank you and encourage to keep up this awesome job because it's very valuable to some of us

ohh MY Thanks... been looking on microsoft articles for a looong time but this made great sense and worked like a charm .. thanks.

This is an excellent walk thru to get Azure Storage Account join to Domain and use it as SMB file share. Thank you very much.

Awesome video Travis! This was super clear and straightforward and worked. This is helping me build out my test environment before I go live later this year! A++++

Travis, you are a legend. Cant be explained in any better way.

Thank You.. Your Videos are great.. i have been looking for this.. Your video explains it very clearly.

Espectacular video, muchas gracias Travis nuevamente.

Amazing video, many thanks for your share !

Thank you so much!!!
That video helped a lot =)

Thank you very much. You saved me. Good job!!

Thx, great video!

This is awesome Travis thank you so much. Just a quick one can we have DFS management pointing to the storage location directly . Or to use DFS we will need to use File Server Sync

Hi, thanks for the video. I'm currently trying to implement Azure File Share as file server within our on prem AD. I can successfully mount the share as a network drive like what you did in this video, but what we are trying to do is to map different folders from the file share as mapped drives automatically through Group Policy Objects. So different departments will see their own 'work drives' mounted on their laptop/workstation automatically. Can you advise what's the proper way to do so? Thanks.

Thanks. Do you have a video to what would be the best way to setup a fileserver on azure for sensitive information like a lawyer office or broker

If you have a hybrid setup, can you set up AADDS for a specific domain and use the SMB file share the way you would with "cloud only" setup and sort of ignore the fact that you have a hybrid setup? I ask because the users accessing wvd would be AAD created users, not synced from AD connect.... thanks in advance

Hello Travis,
Thank you for the very good video!
Should the serviceLogonAccount 'cirfiletest01' be synchronized with Azure AD? In short, does service account hybrid identity or Windows AD only ?
Thank you

Great Video!

Travis that was awesome and how can we map the File Share on the client's workstations via the group policy?

How Can I use the old folder level securities from on-premises AD to new Azure file share folders?

Have always loved your videos my man. First time posting a question here. What is a solution in Azure or Windows to auto-deploy and Azure File Share to Windows VMs as a drive letter? I have tried using the PowerShell connect script to run on startup via GPO but have been unsuccessful. Thanks!

Hi Travis!
I just followed your instructions. One thing I noticed is that the administrator can’t set/edit permissions past 2nd level of folders. any thoughts on how to fix this?

Thank you for the great video but I am facing an issue with Join domain command, after I run it, I receive following error:
ensure-kerb key exists : caught exception: an operation is currently performing on this storage account that requires exclusive access.
Can you help?

Thanks Travis. Does this setup work as well for azure AD connected users who aren't sitting in the vnet?

Can you mount file share to a non-domain computer using active directory(Not using Acces Key)? or at least by entering the file share UNC on the non-domain computer, and supply a username and password?

My scenario was a bit different to this one - we already have AD DS setup on VMs in Azure, so can't have hybrid accounts (neither would we want to because it would clutter our Azure users up with AD users). The alternate method was to apply share level access for everyone, which is again done with yet more Powershell script.

Would you recommend using a File Share over an attached VHD? Price is no object. Speed is. So, I guess, which is fastest? - just to delve a tad deeper, would either be good enough for housing a database file that is constantly in use such as QuickBooks. Or would that type of DB file be better being on the same VHD as the OS on the VM?
Great Videos by the way! Mostly interested in Azure.

Hey Travis. How does this work with mounting via P2S VPN?

Well can you use Group Policy to Map for users instead of NET USE? Can you not add a drive letter and assign the path similar to how we do regular files share?

Great video and thanks for sharing but one thing that I feel a lot of videos if not, all videos overlook is mounting this for any user that connects to the VM. How can I have it so the drive is mapped for all users? I don’t want to manually mount the drive per user.

Great video, i have a question for you. Can a synchronized user on an azure ad joinded device access Azure File share ?

What would happen if I need a service account connect to that Azure File?

Did you have a procedure for configuring a MFP device to Scan to SMB on a Azure Share Folder?

Does it work over AT&T UVerse?

Can we sync between windows server wrokgroup with azure? thx

i'm trying to configure the File share from the scratch. we don't have any on premises AD . We installed only ADDS in Azure. Travis can you help me out in this. pls Send me the Step by step guide or video that help me. it will be a very grateful help. As i'm new to azure.

Hello Travis, I am a Beginner in azure, and I have a big question, I need to enable Azure flies or Storage Sync with AD authentication (on primises), but I need to limit access to the administrators of my domain in on primeses, is it possible to do that?

Hey, when i do this, i get
Assert-IsNativeAD : The cmdlet is stopped due to the storage account '' having the DirectoryServiceOptions value: 'None'. The DirectoryServiceOptions for the account needs to be 'AD' in order to run the cmdlet.
what could be going wrong here?

About 17:09 - Configure NTFS access
What is the purpose of adding role assignments through Access Control (IAM) if you can apply NTFS permissions from a Windows computer?

Great Video! Thank a lot Travis. However, I have follow your steps but finally struck at when login with an AD users and try to mounting storage map drive letter. I got the NET USE command always prompt require the username and password? But in your video I don't see you have enter any credentail ( minute 22:46). Can you advise on this?

Travis, one thing I don't quite get: Consider my on-prem file server, I have a structure of folders which I granted permissions to many users and groups, inside one of those folders I create a new folder called "Private" which I block inheritance and only grant permissions to 3 x managers users (for example). How would this work in Azure files since the permissions are set on the Share in Azure RBAC? hope this makes sense... :/

I'm trying to figure out how to implement this for a client that wants to completely do away with their on-premises AD domain. Absolutely nothing in it is of use anymore except the data. They do not currently use Azure AD DS, just Azure AD (Office 365). ALL laptops are Azure AD domain joined (when they login to the PC, they use their full email address). My goal is to move their files from their server into an Azure File Share and have them map a drive to this File Share using what they currently have in place, a laptop that is Azure AD joined and logging in with their Azure AD account (their email address). Do we have to leave their on-premises AD domain in place? Do I have to implement Azure AD DS too? Again, they have local AD domain, which we just want to throw in the trash. They have Azure AD (Office 365) in place for several years now. They do not have Azure AD DS.
Creating the File Share and mapping it as the Super User is really easy. Assigning the proper account that can modify the permissions to that folder, not so much. And to add the ability for a normal user to open any files/add any files in it, even harder.

can this be achieved without Azure AD DS?

So the only account that requires AD Synch is the service account for the replication? Do the end users all have to be AD Synch'd from AD DS to Azure AD?

Great video -- a question about SMB Perms , can i assign perms to Azure AD user (not synced from on-Prem AD DS) ?

Great video. Has anyone experienced issues with NTFS permissions. When I set Owner permissions at the top level and enable inheritance. The ownerr permissions get overwrtitten each time a user creates a file or folder.

amazing

This was very helpful, but some things I found making this work after 20 hours:
1) you have to disable Azure AD DS, which means your on-prem users can access the data but your cloud users can't.
2) I had to do this on an on-prem server, not a cloud server
3) I had to make the user account performing operation an owner of the entire cloud subscription
4) I had to use ServiceLogonAccount and not ComputerAccount
5) I had to use the full distinguished OU name
6) there is a 15 character limit on the name of your Storage Account
Bottom line, if you want both on-prem and Azure cloud users to have access to your Storage Account data, this is not the way to do it. I'm told I have to make an Azure File Sync server. So, maybe that will work for you.

How connect with phisical devices out of domain? when i try this i get error 86 network password, can you help me? greetings from mexico

Hi Travis, great video. I just have a question. The part where you run the command: $StorageAccount.AzureFilesIdentityBasedAuth.DirectoryServiceOption. The result you get is "AD". When I run it I don't get AD, just empty. I am pretty sure I did everything by the book. Where do I have to look at? Best regards, Ron

does the machine have to be joined to a domain? or can we simply have line-of-site to a domain controller? or neither? We have a mix of azure ad only and hybrid azure ad machines...

Thanks Travis, Does the DC need to be on the same Azure VNet or will it work if left on Premise?

cool stuff, but does ntfs permissions style require an on-premises Windows DC in Azure?

Hi,
Thank you for this amazing video!
And what if i want to decomission my file server after doing these steps? is it possible?? The users that they access to the file server on premise will still able to access to azure file Share?

The net use command at the end fails. It would also help people to know they need to update powershell and have dotnet4.7.2 or newer as prereqs.

Hi Travis, I am getting this error! Please need some help to figure it out.
System error 5 has occurred.
Access is denied.

Can you do a 2023 version of this video???

Travis, Is it possible to enable File Locks? The behavior I'm seeing is:
Test User 1 with Contributor: Opens file, makes edits
Test User 2 with Contributor: Opens file right after Test User 1, also makes edits
Test User 1: Finishes edits, saves file.
Test User 2: Finishes editing after Test User 1, saves file.
The modifications from Test User 2 now overwrite any changes Test User 1 made.
Is this behavior expected or do I have a configuration issue?

Can we use this feature for non federated domains?

So, does this actually require your AD account be sync'd to AAD?
Suppose I have two AD domains, no trust relationship between them. Domain A is replicated to AAD, and is the AAD I use to log into the Azure portal. Domain B is running solely on VMs inside the Azure environment. Could I run this command on a VM on Domain B logged into that VM as a domain admin on Domain B, but when I run Connect-AzAccount, I log in with my global administrator for Domain A in AAD? Would that get everything connected appropriately?
And second question, how does the storage account talk to the domain controllers? You don't set a Vnet for a storage account, is there some proxying going on via the machine you ran this command on?

Great stuff… would be great if you did a video on setting up Azure for collaboration with anything on-premises. I am currently trying to set up a VPN with AAD, Kerberos and a file share. Despite this being described in the documentation in a step by step guide, as entirely possible. I.e. there is nothing in the prerequisites mention a VM or an on-site AD server etc. Microsoft have been unable to deliver. So far I’ve been told it’s possible, not possible, only possible if I use AADDS, that didn’t work… one “lead tech” told me the solution was to get all users connected with the admin connection. Not recommended by Microsoft, another told me I had to set up onsite AD, another that we’d all need virtual machines (again no mention of VMs in the prerequisites)… it’s a nightmare lol the story changes every day. A well produced independent video on setting up azure for collaboration between associates, nothing on premises, simple vpn, no public access, vms etc. and a properly manageable file share (I.e full permissions functionality)… would be brilliant.

Hello,
Thanks for this video,
I want to connect SMB file share with access key using API is that possible?
I have user docs.microsoft.com/en-us/rest/api/storageservices/get-file this API for getting file and folder on my SMB file share. I have done this using a shared access signature. but I want to do this using the access key.
How I can call the API using the access key

Great Video Travis.
Thank you!!!!!!!!
Maybe you or someone else can advise me on an error I get when I try to join one of my storages to AD DS.
The objective is to have storage accounts on a WVD environment that I am creating and be able to apply Group Policies to those users from my DC.
- My environment is in Azure.
- I have a VM and is my DC as well.
- I run the AD Connect on that VM and all the users are synced with my Azure Active Directory except the build in user which is an admin and is the same user (Administrator) that I had to create when I created that VM. So what I did I created that user on my Azure AD manually, BUT is not synced.
So, when I ran the script to join the storage account to the AD DS everything went fine with only one failed.
Here is what I get:
000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
Name Result
---- ------
CheckADObjectPasswordIsCorrect Passed
CheckADObject Passed
CheckDomainJoined Passed
CheckPort445Connectivity Passed
CheckSidHasAadUser Failed
CheckGetKerberosTicket Passed
CheckStorageAccountDomainJoined Passed
Skipped
Issues found:
---- CheckSidHasAadUser ----
No Azure Active Directory user exists with OnPremisesSecurityIdentifier of the currently logged on user's SID (xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx).
This means that the AD user object has not synced to the AAD corresponding to the storage account.
Mounting to Azure Files using Active Directory authentication is not supported for AD users who have not been synced to
AAD.
000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
However, the storage account got connected to my VM Domain Controller and I see the storage account name as a computer under the OU but I know that there is an issue.
I also understand that the user that ran the script must be full in sync with the DC.
So, I created another user on my VM and I gave him admin rights and that user was synced with my Azure AD.
I went ahead and ran the same script again under that new Admin user account and I got this error now. Worst than before.
Here it is:
000000000000000000000000000000000000000000000000000000000000000000000000000
Account SubscriptionName TenantId Environment
------- ---------------- -------- -----------
xxxxxx@yyyyyyyy.com Microsoft Azure xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx AzureCloud
Name : Microsoft Partner Network (xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx) - xxxxxxxxxxxxxxxxxxxxxxxxxxxx - xxxxxx@yyyyyyyy.com
Account : xxxxxx@yyyyyyyy.com
Environment : AzureCloud
Subscription : xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Tenant : xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
TokenCache : Microsoft.Azure.Commands.Common.Authentication.Core.ProtectedFileTokenCache
VersionProfile :
ExtendedProperties : {}
New-ADAccountForStorageAccount : Unable to create AD object. Please check that you have permission to create an identity of type ComputerAccount in Active Directory location path
'OU=VASILIOSB,OU=CLIENTS,DC=AZUREWVD,DC=LOCAL' for the storage account 'vasiliossa'
At C:\Users\portaladmin\Documents\WindowsPowerShell\Modules\AzFilesHybrid\0.2.2.0\AzFilesHybrid.psm1:4266 char:37
+ ... eOverride = New-ADAccountForStorageAccount @newParams -ErrorAction St ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException
+ FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,New-ADAccountForStorageAccount

PS C:\Users\portaladmin\Desktop>
000000000000000000000000000000000000000000000000000000000000000000000000000000
I will appreciate any help.
Thank you,
Ioannis

Thanks Travis. Your t shirt is far too big for you mate.

Hi I get the following at Join-AzStorage ...Note I am using an on prem dc linked to azure via a S2S. No DC in the cloud yet.
PS C:\temp\AzFilesHybrid> Join-AzStorageAccountForAuth `
-ResourceGroupName $ResourceGroupName `
-Name $StorageAccountName `
-DomainAccountType "ServiceLogonAccount" `
-OrganizationalUnitDistinguishedName "OU=AzureFileShare,DC=****,DC=local"
WARNING: Parameter -DomainAccountType is 'ServiceLogonAccount', which will not be supported AES256 encryption for Kerberos ti
ckets.
Get-AzResourceGroup : 17:08:27 - Provided resource group does not exist.
At C:\Users\administrator.****\Documents\WindowsPowerShell\Modules\AzFilesHybrid\0.2.3.0\AzFilesHybrid.psm1:2060 char:32
+ ... $resourceGroupObject = Get-AzResourceGroup -Name $ResourceGroupName

Hi, can you tell me. At server files/data are kept encrypted at rest.