You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
# Customer intent: As a cloud administrator, I want to enable identity-based authentication for SMB Azure file shares using Microsoft Entra Domain Services, so that users can securely access file shares using their Microsoft Entra credentials.
This article focuses on enabling Microsoft Entra Domain Services (formerly Azure Active Directory Domain Services) for identity-based authentication with Azure file shares. In this authentication scenario, Microsoft Entra credentials and Microsoft Entra Domain Services credentials are the same, and you can use them interchangeably.
20
20
21
-
Review the [How it works section](./storage-files-active-directory-overview.md#how-it-works) to select the right identity source for your storage account. The setup is different depending on the identity source you choose.
21
+
Review the [supported authentication scenarios](./storage-files-active-directory-overview.md#supported-authentication-scenarios) to select the right identity source for your storage account. The setup is different depending on the identity source you choose.
22
22
23
23
If you're new to Azure Files, read the [planning guide](storage-files-planning.md) before reading this article.
24
24
@@ -35,17 +35,17 @@ Before you enable Microsoft Entra Domain Services over SMB for Azure file shares
35
35
36
36
You can use a new or existing tenant. The tenant and the file share that you want to access must be associated with the same subscription.
37
37
38
-
To create a new Microsoft Entra tenant, [Add a Microsoft Entra tenant and a Microsoft Entra subscription](/windows/client-management/mdm/add-an-azure-ad-tenant-and-azure-ad-subscription). If you have an existing Microsoft Entra tenant but want to create a new tenant for use with Azure file shares, see [Create a Microsoft Entra tenant](/rest/api/datacatalog/create-an-azure-active-directory-tenant).
38
+
To create a new Microsoft Entra tenant, see [Create a new tenant in Microsoft Entra ID](/entra/fundamentals/create-new-tenant). If you have an existing Microsoft Entra tenant but want to create a new tenant for use with Azure file shares, see [Set up a new Microsoft Entra tenant](/entra/identity-platform/quickstart-create-new-tenant).
39
39
40
40
1.**Enable Microsoft Entra Domain Services on the Microsoft Entra tenant.**
41
41
42
-
To support authentication with Microsoft Entra credentials, you must enable Microsoft Entra Domain Services for your Microsoft Entra tenant. If you aren't the administrator of the Microsoft Entra tenant, contact the administrator and follow the step-by-step guidance to [Enable Microsoft Entra Domain Services using the Azure portal](../../active-directory-domain-services/tutorial-create-instance.md).
42
+
To support authentication with Microsoft Entra credentials, you must enable Microsoft Entra Domain Services for your Microsoft Entra tenant. If you aren't the administrator of the Microsoft Entra tenant, contact the administrator and follow the step-by-step guidance to [Create and configure a Microsoft Entra Domain Services managed domain](/entra/identity/domain-services/tutorial-create-instance).
43
43
44
44
It typically takes about 15 minutes for a Microsoft Entra Domain Services deployment to complete. Verify that the health status of Microsoft Entra Domain Services shows **Running**, with password hash synchronization enabled, before proceeding to the next step.
45
45
46
46
1.**Domain-join a VM with Microsoft Entra Domain Services.**
47
47
48
-
To access an Azure file share by using Entra credentials from a VM, your VM must be domain-joined to Microsoft Entra Domain Services. For more information, see [Join a Windows Server virtual machine to a managed domain](../../active-directory-domain-services/join-windows-vm.md). Microsoft Entra Domain Services authentication over SMB with Azure file shares is supported only on Windows VMs running OS versions later than Windows 7 or Windows Server 2008 R2, or on [Linux VMs](storage-files-identity-auth-linux-kerberos-enable.md) running Ubuntu 18.04+ or an equivalent RHEL or SLES VM.
48
+
To access an Azure file share by using Entra credentials from a VM, your VM must be domain-joined to Microsoft Entra Domain Services. For more information, see [Join a Windows Server virtual machine to a Microsoft Entra Domain Services managed domain](/entra/identity/domain-services/join-windows-vm). Microsoft Entra Domain Services authentication over SMB with Azure file shares is supported only on Windows VMs running OS versions later than Windows 7 or Windows Server 2008 R2, or on [Linux VMs](storage-files-identity-auth-linux-kerberos-enable.md) running Ubuntu 18.04+ or an equivalent RHEL or SLES VM.
49
49
50
50
> [!NOTE]
51
51
> Non-domain-joined VMs can access Azure file shares using Microsoft Entra Domain Services authentication only if the VM has unimpeded network connectivity to the domain controllers for Microsoft Entra Domain Services. Usually this connectivity requires either site-to-site or point-to-site VPN.
@@ -63,7 +63,7 @@ You can use Azure Files authentication with Microsoft Entra Domain Services in [
63
63
64
64
The following diagram shows the end-to-end workflow for enabling Microsoft Entra Domain Services authentication over SMB for Azure Files.
65
65
66
-
:::image type="content" source="media/storage-files-identity-auth-domain-services-enable/files-entra-domain-services-workflow.png" alt-text="Diagram showing Microsoft Entra ID over SMB for Azure Files workflow." lightbox="media/storage-files-identity-auth-domain-services-enable/files-entra-domain-services-workflow.png" border="false":::
66
+
:::image type="content" source="media/storage-files-identity-auth-domain-services-enable/files-entra-domain-services-workflow.png" alt-text="Diagram showing Microsoft Entra Domain Services over SMB for Azure Files workflow." lightbox="media/storage-files-identity-auth-domain-services-enable/files-entra-domain-services-workflow.png" border="false":::
@@ -92,7 +92,7 @@ To enable Microsoft Entra Domain Services authentication over SMB by using the [
92
92
93
93
To enable Microsoft Entra Domain Services authentication over SMB by using Azure PowerShell, install the latest Az module (2.4 or newer) or the Az.Storage module (1.5 or newer). For more information, see [Install Azure PowerShell on Windows with PowerShellGet](/powershell/azure/install-azure-powershell).
94
94
95
-
To create a new storage account, call [New-AzStorageAccount](/powershell/module/az.storage/New-azStorageAccount), and then set the **EnableAzureActiveDirectoryDomainServicesForFile** parameter to **true**. In the following example, replace the placeholder values with your own values. (If you use the previous preview module, the parameter for enabling the feature is **EnableAzureFilesAadIntegrationForSMB**.)
95
+
To create a new storage account, call [New-AzStorageAccount](/powershell/module/az.storage/New-azStorageAccount), and then set the `EnableAzureActiveDirectoryDomainServicesForFile` parameter to **true**. In the following example, replace the placeholder values with your own values. (If you use the previous preview module, the parameter for enabling the feature is `EnableAzureFilesAadIntegrationForSMB`.)
To enable Microsoft Entra authentication over SMB by using Azure CLI, install the latest CLI version (version 2.0.70 or newer). For more information, see [Install the Azure CLI](/cli/azure/install-azure-cli).
119
+
To enable Microsoft Entra Domain Services authentication over SMB by using Azure CLI, install the latest CLI version (version 2.0.70 or newer). For more information, see [Install the Azure CLI](/cli/azure/install-azure-cli).
120
120
121
121
To create a new storage account, call [az storage account create](/cli/azure/storage/account#az-storage-account-create), and set the `--enable-files-aadds` argument. In the following example, replace the placeholder values with your own values. (If you were using the previous preview module, the parameter for feature enablement is **file-aad**.)
To enable this feature on existing storage accounts, use the following command:
129
129
130
130
```azurecli-interactive
131
-
# Update a new storage account
131
+
# Update an existing storage account
132
132
az storage account update -n <storage-account-name> -g <resource-group-name> --enable-files-aadds
133
133
```
134
134
---
@@ -142,7 +142,7 @@ This action requires running an operation on the domain that's managed by Micros
142
142
> [!IMPORTANT]
143
143
> The Windows Server Active Directory PowerShell cmdlets in this section must be run in Windows PowerShell 5.1 from a client machine that's domain-joined to the Microsoft Entra Domain Services domain. PowerShell 7.x and Azure Cloud Shell won't work in this scenario.
144
144
145
-
Sign in to the domain-joined client machine as a Microsoft Entra Domain Services user with the required permissions. You must have write access to the `msDS-SupportedEncryptionTypes` attribute of the domain object. Typically, members of the **AAD DC Administrators** group have the necessary permissions. Open a normal (non-elevated) PowerShell session and execute the following commands.
145
+
Sign in to the domain-joined client machine as a Microsoft Entra Domain Services user with the required permissions. You must have write access to the `msDS-SupportedEncryptionTypes` attribute of the domain object. Typically, members of the [AAD DC Administrators](/entra/identity/domain-services/tutorial-create-instance-advanced#configure-an-administrative-group) group have the necessary permissions. Open a normal (non-elevated) PowerShell session and execute the following commands.
146
146
147
147
```powershell
148
148
# 1. Find the service account in your managed domain that represents the storage account.
![prmerger-automator[bot]](https://avatars.githubusercontent.com/u/22479449?v=4&size=40){kind=avatar}
0 commit comments