You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
# Customer intent: "As a cloud architect, I want to implement identity-based authentication for Azure file shares over SMB, so that I can enhance security and streamline access for users."
10
10
---
@@ -17,28 +17,19 @@ This article explains how you can use identity-based authentication, either on-p
17
17
18
18
Azure Files supports identity-based authentication over SMB for Windows, [Linux](storage-files-identity-auth-linux-kerberos-enable.md), and macOS clients. Azure Files doesn't currently support identity-based authentication for Network File System (NFS) file shares.
19
19
20
-
> [!IMPORTANT]
21
-
> For security reasons, use identity-based authentication to access file shares instead of the storage account key. Never share your storage account keys.
22
-
23
-
## How it works
24
-
25
-
Azure Files uses the Kerberos protocol to authenticate with an identity source. When an identity associated with a user or application running on a client attempts to access data in Azure Files, the request is sent to the identity source to authenticate the identity. If authentication is successful, the identity source returns a Kerberos ticket. The client then sends a request that includes the Kerberos ticket, and Azure Files uses that ticket to authorize the request. The Azure Files service only receives the Kerberos ticket, not the user's access credentials.
20
+
## Why use identity-based authentication?
26
21
27
-
## Common use cases
22
+
For security reasons, use identity-based authentication to access SMB file shares instead of the storage account key. It's also more convenient than using storage account keys in many scenarios:
28
23
29
-
Identity-based authentication with SMB Azure file shares can be useful in a variety of scenarios:
24
+
- Using identity-based authentication provides a seamless migration experience when replacing on-premises file servers, allowing end users to continue to access their data with the same credentials.
30
25
31
-
### Replace on-premises file servers
26
+
- Identity-based authentication eliminates the need to change your directory service when moving applications to the cloud, expediting cloud adoption.
32
27
33
-
Replacing scattered on-premises file servers is a challenge every organization faces during their IT modernization journey. Using identity-based authentication with Azure Files provides a seamless migration experience, allowing end users to continue to access their data with the same credentials.
28
+
- For file share DR scenarios, you can configure identity-based authentication to support proper access control enforcement upon failover.
34
29
35
-
### Lift and shift applications to Azure
36
-
37
-
When you lift and shift applications to the cloud, you likely want to keep the same authentication model for file share access. Identity-based authentication eliminates the need to change your directory service, expediting cloud adoption.
38
-
39
-
### Backup and disaster recovery (DR)
30
+
## How it works
40
31
41
-
If you keep your primary file storage on-premises, Azure Files is an ideal solution for backup and DR to improve business continuity. You can use Azure file shares to back up your file servers while preserving Windows discretionary access control lists (DACLs). For DR scenarios, you can configure an authentication option to support proper access control enforcement at failover.
32
+
Azure Files uses the Kerberos protocol to authenticate with an identity source. When an identity associated with a user or application running on a client attempts to access data in Azure Files, the request is sent to the identity source to authenticate the identity. If authentication is successful, the identity source returns a Kerberos ticket. The client then sends a request that includes the Kerberos ticket, and Azure Files uses that ticket to authorize the request. The Azure Files service only receives the Kerberos ticket, not the user's access credentials.
42
33
43
34
## Choose an identity source for your storage account
44
35
@@ -66,7 +57,7 @@ Use the following guidelines to determine which identity source you should choos
66
57
67
58
- If you already use Microsoft Entra Domain Services, choose Microsoft Entra Domain Services as your identity source.
68
59
69
-
## Enable an identity source
60
+
## Enable an identity source on your storage account
70
61
71
62
After you choose an identity source, enable it on your storage account.
0 commit comments