From 87dc1033fbd53a8cd911478feefefcb39a66302e Mon Sep 17 00:00:00 2001 From: Eliaquim Brandao <49751389+eliaquimbrandao@users.noreply.github.com> Date: Wed, 15 Apr 2026 11:42:10 +0100 Subject: [PATCH 1/5] Add manual configuration script for AD DS authentication Added an end-to-end script for manual configuration of AD DS authentication for Azure Storage accounts, including steps for both computer and service logon accounts. --- .../storage-files-identity-ad-ds-enable.md | 115 ++++++++++++++++++ 1 file changed, 115 insertions(+) diff --git a/articles/storage/files/storage-files-identity-ad-ds-enable.md b/articles/storage/files/storage-files-identity-ad-ds-enable.md index 563933af3006c..35cdba1fd440d 100644 --- a/articles/storage/files/storage-files-identity-ad-ds-enable.md +++ b/articles/storage/files/storage-files-identity-ad-ds-enable.md @@ -235,6 +235,121 @@ Set-ADAccountPassword -Identity -Reset -NewPassword $Ne > [!IMPORTANT] > If you previously used RC4 encryption and updated the storage account to use AES-256 (recommended), run `klist purge` on the client and then remount the file share to get new Kerberos tickets with AES-256. +## End-to-end script for manual configuration +This section provides a consolidated, script-based approach for manual configuration. It is intended for advanced scenarios where execution is performed across multiple teams (Azure and Active Directory), offering a single, ordered workflow that mirrors the manual steps described above. + +> [!NOTE] +> These scripts assume that the Active Directory object (computer account or service account) already exists and that the required domain and identity information is available in your environment. + +### [Computer account (recommended)](#tab/computer-account) + +```powershell +# VARIABLES +$ResourceGroupName = "" +$StorageAccountName = "" +$ComputerName = "" # WITHOUT trailing $ +$ComputerSam = "$ComputerName`$" + +$DomainDNSRoot = "" +$DomainNetBIOS = "" +$ForestName = "" +$DomainGuid = "" +$DomainSid = "" +$StorageSid = "" +$DomainController = "" + +# STEP 1 – Generate Kerberos key (Azure team) +New-AzStorageAccountKey -ResourceGroupName $ResourceGroupName -Name $StorageAccountName -KeyName kerb1 +$KerbKey = (Get-AzStorageAccountKey -ResourceGroupName $ResourceGroupName -Name $StorageAccountName -ListKerbKey | Where-Object {$_.KeyName -eq "kerb1"}).Value + +# STEP 2 – Set SPN (AD team) +setspn -S cifs/$StorageAccountName.file.core.windows.net $ComputerSam + +# STEP 3 – Set password (AD team) +$SecurePassword = ConvertTo-SecureString $KerbKey -AsPlainText -Force +Set-ADAccountPassword -Identity $ComputerSam -Reset -NewPassword $SecurePassword + +# STEP 4 – Enable AD DS authentication (Azure team) +Set-AzStorageAccount ` + -ResourceGroupName $ResourceGroupName ` + -Name $StorageAccountName ` + -EnableActiveDirectoryDomainServicesForFile $true ` + -ActiveDirectoryDomainName $DomainDNSRoot ` + -ActiveDirectoryNetBiosDomainName $DomainNetBIOS ` + -ActiveDirectoryForestName $ForestName ` + -ActiveDirectoryDomainGuid $DomainGuid ` + -ActiveDirectoryDomainSid $DomainSid ` + -ActiveDirectoryAzureStorageSid $StorageSid ` + -ActiveDirectorySamAccountName $ComputerName ` + -ActiveDirectoryAccountType "Computer" + +# STEP 5 – Configure AES-256 encryption (AD team - recommended) +Set-ADComputer -Identity $ComputerName -KerberosEncryptionType "AES256" + +# STEP 6 – Regenerate Kerberos key (Azure team) +New-AzStorageAccountKey -ResourceGroupName $ResourceGroupName -Name $StorageAccountName -KeyName kerb1 +$KerbKey = (Get-AzStorageAccountKey -ResourceGroupName $ResourceGroupName -Name $StorageAccountName -ListKerbKey | Where-Object {$_.KeyName -eq "kerb1"}).Value + +# STEP 7 – Reset password with new key (AD team) +$SecurePassword = ConvertTo-SecureString $KerbKey -AsPlainText -Force +Set-ADAccountPassword -Identity $ComputerSam -Reset -NewPassword $SecurePassword +``` +### [Service logon account (user)](#tab/user-account) + +```powershell +# VARIABLES +$ResourceGroupName = "" +$StorageAccountName = "" +$UserSamAccountName = "" + +$DomainDNSRoot = "" +$DomainNetBIOS = "" +$ForestName = "" +$DomainGuid = "" +$DomainSid = "" +$StorageSid = "" +$DomainController = "" + +# STEP 1 – Generate Kerberos key (Azure team) +New-AzStorageAccountKey -ResourceGroupName $ResourceGroupName -Name $StorageAccountName -KeyName kerb1 +$KerbKey = (Get-AzStorageAccountKey -ResourceGroupName $ResourceGroupName -Name $StorageAccountName -ListKerbKey | Where-Object {$_.KeyName -eq "kerb1"}).Value + +# STEP 2 – Set SPN (AD team) +setspn -S cifs/$StorageAccountName.file.core.windows.net $UserSamAccountName + +# STEP 3 – Set UPN (AD team) +Set-ADUser -Identity $UserSamAccountName -UserPrincipalName "cifs/$StorageAccountName.file.core.windows.net@$DomainDNSRoot" + +# STEP 4 – Set password (AD team) +$SecurePassword = ConvertTo-SecureString $KerbKey -AsPlainText -Force +Set-ADAccountPassword -Identity $UserSamAccountName -Reset -NewPassword $SecurePassword + +# STEP 5 – Enable AD DS authentication (Azure team) +Set-AzStorageAccount ` + -ResourceGroupName $ResourceGroupName ` + -Name $StorageAccountName ` + -EnableActiveDirectoryDomainServicesForFile $true ` + -ActiveDirectoryDomainName $DomainDNSRoot ` + -ActiveDirectoryNetBiosDomainName $DomainNetBIOS ` + -ActiveDirectoryForestName $ForestName ` + -ActiveDirectoryDomainGuid $DomainGuid ` + -ActiveDirectoryDomainSid $DomainSid ` + -ActiveDirectoryAzureStorageSid $StorageSid ` + -ActiveDirectorySamAccountName $UserSamAccountName ` + -ActiveDirectoryAccountType "User" + +# STEP 6 – Configure AES-256 encryption (AD team - recommended) +Set-ADUser -Identity $UserSamAccountName -KerberosEncryptionType "AES256" + +# STEP 7 – Regenerate Kerberos key (Azure team) +New-AzStorageAccountKey -ResourceGroupName $ResourceGroupName -Name $StorageAccountName -KeyName kerb1 +$KerbKey = (Get-AzStorageAccountKey -ResourceGroupName $ResourceGroupName -Name $StorageAccountName -ListKerbKey | Where-Object {$_.KeyName -eq "kerb1"}).Value + +# STEP 8 – Reset password with new key (AD team) +$SecurePassword = ConvertTo-SecureString $KerbKey -AsPlainText -Force +Set-ADAccountPassword -Identity $UserSamAccountName -Reset -NewPassword $SecurePassword +``` + ## Confirm the feature is enabled Check if AD DS is enabled as the identity source on your storage account by using the following script. Replace `` and `` with your values. From 971b7131da0f6b4b3c3594ab3c979f131fc49d6b Mon Sep 17 00:00:00 2001 From: Eliaquim Brandao <49751389+eliaquimbrandao@users.noreply.github.com> Date: Wed, 15 Apr 2026 17:16:51 +0100 Subject: [PATCH 2/5] Refactor PowerShell variables for clarity --- .../files/storage-files-identity-ad-ds-enable.md | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/articles/storage/files/storage-files-identity-ad-ds-enable.md b/articles/storage/files/storage-files-identity-ad-ds-enable.md index 35cdba1fd440d..f5c6b65e0fa7a 100644 --- a/articles/storage/files/storage-files-identity-ad-ds-enable.md +++ b/articles/storage/files/storage-files-identity-ad-ds-enable.md @@ -247,8 +247,8 @@ This section provides a consolidated, script-based approach for manual configura # VARIABLES $ResourceGroupName = "" $StorageAccountName = "" -$ComputerName = "" # WITHOUT trailing $ -$ComputerSam = "$ComputerName`$" +$ComputerName = "" # Base computer account name, without trailing $ +$ComputerSam = "$ComputerName`$" # Computer account sAMAccountName $DomainDNSRoot = "" $DomainNetBIOS = "" @@ -256,7 +256,6 @@ $ForestName = "" $DomainGuid = "" $DomainSid = "" $StorageSid = "" -$DomainController = "" # STEP 1 – Generate Kerberos key (Azure team) New-AzStorageAccountKey -ResourceGroupName $ResourceGroupName -Name $StorageAccountName -KeyName kerb1 @@ -267,7 +266,7 @@ setspn -S cifs/$StorageAccountName.file.core.windows.net $ComputerSam # STEP 3 – Set password (AD team) $SecurePassword = ConvertTo-SecureString $KerbKey -AsPlainText -Force -Set-ADAccountPassword -Identity $ComputerSam -Reset -NewPassword $SecurePassword +Set-ADAccountPassword -Identity $ComputerIdentity -Reset -NewPassword $SecurePassword # STEP 4 – Enable AD DS authentication (Azure team) Set-AzStorageAccount ` @@ -280,7 +279,7 @@ Set-AzStorageAccount ` -ActiveDirectoryDomainGuid $DomainGuid ` -ActiveDirectoryDomainSid $DomainSid ` -ActiveDirectoryAzureStorageSid $StorageSid ` - -ActiveDirectorySamAccountName $ComputerName ` + -ActiveDirectorySamAccountName $ComputerSam ` -ActiveDirectoryAccountType "Computer" # STEP 5 – Configure AES-256 encryption (AD team - recommended) @@ -302,13 +301,12 @@ $ResourceGroupName = "" $StorageAccountName = "" $UserSamAccountName = "" -$DomainDNSRoot = "" +$DomainDNSRoot = "" $DomainNetBIOS = "" $ForestName = "" $DomainGuid = "" $DomainSid = "" $StorageSid = "" -$DomainController = "" # STEP 1 – Generate Kerberos key (Azure team) New-AzStorageAccountKey -ResourceGroupName $ResourceGroupName -Name $StorageAccountName -KeyName kerb1 From c65fcac3cfece15dac06239404ca2b268a82144c Mon Sep 17 00:00:00 2001 From: Eliaquim Brandao <49751389+eliaquimbrandao@users.noreply.github.com> Date: Wed, 15 Apr 2026 17:20:31 +0100 Subject: [PATCH 3/5] Update ActiveDirectorySamAccountName variable name --- articles/storage/files/storage-files-identity-ad-ds-enable.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/articles/storage/files/storage-files-identity-ad-ds-enable.md b/articles/storage/files/storage-files-identity-ad-ds-enable.md index f5c6b65e0fa7a..06143e4e3d573 100644 --- a/articles/storage/files/storage-files-identity-ad-ds-enable.md +++ b/articles/storage/files/storage-files-identity-ad-ds-enable.md @@ -279,7 +279,7 @@ Set-AzStorageAccount ` -ActiveDirectoryDomainGuid $DomainGuid ` -ActiveDirectoryDomainSid $DomainSid ` -ActiveDirectoryAzureStorageSid $StorageSid ` - -ActiveDirectorySamAccountName $ComputerSam ` + -ActiveDirectorySamAccountName $ComputerName ` -ActiveDirectoryAccountType "Computer" # STEP 5 – Configure AES-256 encryption (AD team - recommended) From d7fdb1993f4dcb9fab3b379bfed5c0f2b8914661 Mon Sep 17 00:00:00 2001 From: Eliaquim Brandao <49751389+eliaquimbrandao@users.noreply.github.com> Date: Wed, 15 Apr 2026 17:23:41 +0100 Subject: [PATCH 4/5] Update computer account references in AD commands --- .../storage/files/storage-files-identity-ad-ds-enable.md | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/articles/storage/files/storage-files-identity-ad-ds-enable.md b/articles/storage/files/storage-files-identity-ad-ds-enable.md index 06143e4e3d573..3af019b74d99c 100644 --- a/articles/storage/files/storage-files-identity-ad-ds-enable.md +++ b/articles/storage/files/storage-files-identity-ad-ds-enable.md @@ -250,7 +250,7 @@ $StorageAccountName = "" $ComputerName = "" # Base computer account name, without trailing $ $ComputerSam = "$ComputerName`$" # Computer account sAMAccountName -$DomainDNSRoot = "" +$DomainDNSRoot = "" $DomainNetBIOS = "" $ForestName = "" $DomainGuid = "" @@ -266,7 +266,7 @@ setspn -S cifs/$StorageAccountName.file.core.windows.net $ComputerSam # STEP 3 – Set password (AD team) $SecurePassword = ConvertTo-SecureString $KerbKey -AsPlainText -Force -Set-ADAccountPassword -Identity $ComputerIdentity -Reset -NewPassword $SecurePassword +Set-ADAccountPassword -Identity $ComputerSam -Reset -NewPassword $SecurePassword # STEP 4 – Enable AD DS authentication (Azure team) Set-AzStorageAccount ` @@ -283,7 +283,7 @@ Set-AzStorageAccount ` -ActiveDirectoryAccountType "Computer" # STEP 5 – Configure AES-256 encryption (AD team - recommended) -Set-ADComputer -Identity $ComputerName -KerberosEncryptionType "AES256" +Set-ADComputer -Identity $ComputerSam -KerberosEncryptionType "AES256" # STEP 6 – Regenerate Kerberos key (Azure team) New-AzStorageAccountKey -ResourceGroupName $ResourceGroupName -Name $StorageAccountName -KeyName kerb1 @@ -293,6 +293,7 @@ $KerbKey = (Get-AzStorageAccountKey -ResourceGroupName $ResourceGroupName -Name $SecurePassword = ConvertTo-SecureString $KerbKey -AsPlainText -Force Set-ADAccountPassword -Identity $ComputerSam -Reset -NewPassword $SecurePassword ``` + ### [Service logon account (user)](#tab/user-account) ```powershell From 714c549f5bbd93f5dcec9756ddf5388234f9897d Mon Sep 17 00:00:00 2001 From: Eliaquim Brandao <49751389+eliaquimbrandao@users.noreply.github.com> Date: Wed, 15 Apr 2026 17:29:58 +0100 Subject: [PATCH 5/5] Add confirmation steps for AD DS feature Added instructions to confirm AD DS is enabled as identity source. --- articles/storage/files/storage-files-identity-ad-ds-enable.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/articles/storage/files/storage-files-identity-ad-ds-enable.md b/articles/storage/files/storage-files-identity-ad-ds-enable.md index 3af019b74d99c..ec023c2588eba 100644 --- a/articles/storage/files/storage-files-identity-ad-ds-enable.md +++ b/articles/storage/files/storage-files-identity-ad-ds-enable.md @@ -349,6 +349,8 @@ $SecurePassword = ConvertTo-SecureString $KerbKey -AsPlainText -Force Set-ADAccountPassword -Identity $UserSamAccountName -Reset -NewPassword $SecurePassword ``` +--- + ## Confirm the feature is enabled Check if AD DS is enabled as the identity source on your storage account by using the following script. Replace `` and `` with your values.