You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/storage/files/storage-files-identity-ad-ds-enable.md
+11-12Lines changed: 11 additions & 12 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -4,7 +4,7 @@ description: Learn how to enable Active Directory Domain Services authentication
4
4
author: khdownie
5
5
ms.service: azure-file-storage
6
6
ms.topic: how-to
7
-
ms.date: 02/23/2026
7
+
ms.date: 03/03/2026
8
8
ms.author: kendownie
9
9
ms.custom: devx-track-azurepowershell
10
10
# Customer intent: As an IT administrator, I want to enable Active Directory Domain Services authentication for Azure file shares, so that our domain-joined Windows virtual machines can securely access and manage file shares using existing AD credentials.
@@ -31,16 +31,16 @@ The AzFilesHybrid PowerShell module provides cmdlets for deploying and configuri
31
31
### Prerequisites
32
32
33
33
- Install [.NET Framework 4.7.2 or higher](https://dotnet.microsoft.com/download/dotnet-framework/) if it's not already installed. The AzFilesHybrid module requires it to import successfully.
34
-
- Make sure you have [Azure PowerShell](/powershell/azure/install-azure-powershell) (Az module) and [Az.Storage](https://www.powershellgallery.com/packages/Az.Storage/) installed. You must have at least Az.PowerShell 2.8.0+ and Az.Storage 4.3.0+ to use AzFilesHybrid.
34
+
- Make sure you have the latest versions of [Azure PowerShell](/powershell/azure/install-azure-powershell) (Az module) and [Az.Storage](https://www.powershellgallery.com/packages/Az.Storage/) installed. You must have Az.Storage 8.1.0 or higher to use AzFilesHybrid.
35
35
- Install the [Active Directory PowerShell](/powershell/module/activedirectory/) module.
36
36
37
37
### Download AzFilesHybrid module
38
38
39
-
[Download and unzip the latest version of the AzFilesHybrid module](https://github.com/Azure-Samples/azure-files-samples/releases).
39
+
Download and unzip the latest version of the [AzFilesHybrid module](https://www.powershellgallery.com/packages/AzFilesHybrid/).
40
40
41
41
### Run Join-AzStorageAccount
42
42
43
-
The `Join-AzStorageAccount` cmdlet performs the equivalent of an offline domain join for the specified storage account. The following script uses this cmdlet to create a [computer account](/windows/security/identity-protection/access-control/active-directory-accounts#manage-default-local-accounts-in-active-directory) in your AD domain. If you can't use a computer account, you can change the script to create a [service logon account](/windows/win32/ad/about-service-logon-accounts) instead. Starting with AzFilesHybrid version 0.2.5, using AES-256 encryption with service logon accounts is supported.
43
+
The `Join-AzStorageAccount` cmdlet performs the equivalent of an offline domain join for the specified storage account. The following script uses this cmdlet to create a [computer account](/windows/security/identity-protection/access-control/active-directory-accounts#manage-default-local-accounts-in-active-directory) in your AD domain. If you can't use a computer account, you can change the script to create a [service logon account](/windows/win32/ad/about-service-logon-accounts) instead. Using AES-256 encryption with service logon accounts is supported starting with AzFilesHybrid version 0.2.5.
44
44
45
45
The AD DS account that the cmdlet creates represents the storage account. If you create the AD DS account under an organizational unit (OU) that enforces password expiration, you must update the password before the maximum password age. If you don't update the account password before that date, authentication fails when accessing Azure file shares. For more information on how to update the password, see [Update AD DS account password](storage-files-identity-ad-ds-update-password.md).
46
46
@@ -129,7 +129,7 @@ Most customers should choose [Option one](#option-one-recommended-use-azfileshyb
129
129
First, check the state of your environment.
130
130
131
131
- Check if [Active Directory PowerShell](/powershell/module/activedirectory/) is installed, and if the shell is running with administrator privileges.
132
-
- Make sure the [Az.Storage module](https://www.powershellgallery.com/packages/Az.Storage/) is installed, and install it if it isn't. You need at least version 2.0.
132
+
- Make sure the latest version of the [Az.Storage module](https://www.powershellgallery.com/packages/Az.Storage/) is installed, and install it if it isn't.
133
133
- After completing those checks, check your AD DS to see if there's either a [computer account](/windows/security/identity-protection/access-control/active-directory-accounts#manage-default-local-accounts-in-active-directory) (default) or [service logon account](/windows/win32/ad/about-service-logon-accounts) that you created with SPN/UPN such as "cifs/your-storage-account-name-here.file.core.windows.net". If the account doesn't exist, create one as described in the following section.
The cmdlets return the key value. Once you have the kerb1 key, create either a [computer account](/powershell/module/activedirectory/new-adcomputer) or [service account](/powershell/module/activedirectory/new-adserviceaccount) in AD under your OU, and use the key as the password for the AD identity.
153
153
154
-
1. Set the SPN to **cifs/your-storage-account-name-here.file.core.windows.net** either in the AD GUI or by running the `Setspn` command from the Windows command line as administrator (replace the example text with your storage account name and `<ADAccountName>` with your AD account name).
154
+
1. Set the SPN to **cifs/your-storage-account-name-here.file.core.windows.net** either in the Active Directory GUI or by running the `Setspn` command from the Windows command line as administrator (replace the example text with your storage account name and `<ADAccountName>` with your AD account name).
@@ -182,8 +182,7 @@ Keep the SID of the newly created identity, you'll need it for the next step. Th
182
182
183
183
### Enable the feature on your storage account
184
184
185
-
Modify the following command to include configuration details for the domain properties, then run it to enable the feature. The storage account SID required in the following command is the SID of the identity you created in your AD DS in [the previous section](#create-an-identity-representing-the-storage-account-in-your-ad-manually). Make sure that you provide the **ActiveDirectorySamAccountName** property without the trailing '
186
-
sign.
185
+
Modify the following command to include configuration details for the domain properties, then run it to enable the feature. The storage account SID required in the following command is the SID of the identity you created in your AD DS in [the previous section](#create-an-identity-representing-the-storage-account-in-your-ad-manually). Make sure that you provide the **ActiveDirectorySamAccountName** property without the trailing '$' sign.
187
186
188
187
```PowerShell
189
188
# Set the feature flag on the target storage account and provide the required AD domain information
Check if Active Directory is enabled on your storage account by using the following script:
248
+
Check if AD DS is enabled on your storage account by using the following script. Replace `<resource-group-name>` and `<storage-account-name>` with your values.
![prmerger-automator[bot]](https://avatars.githubusercontent.com/u/22479449?v=4&size=40){kind=avatar}
0 commit comments