A preview of Azure Files’ support for Active Directory authentication

Ganesh Chauhan, Technical Support Specialist, Microsoft Azure

The preview of Azure Files Active Directory (AD) authentication is something we are happy to announce. With the exact same access control as on-premises, you can now mount your Azure Files using your AD credentials. Both the premium and ordinary tiers of Azure Files support the usage of an Active Directory domain service (AD DS), which can be hosted on-premises or in Azure. It is also easy to manage file permissions. If your Active Directory identities are synced to Azure AD, you can continue to manage the share level permission using role-based access control (RBAC). You can set up Windows ACLs (NTFS DACLs) for directory and file level authorization using Windows File Explorer just as you would for any other file share. The majority of you may have already adopted Office 365 or Azure and have synchronized on-premises Active Directory to Azure AD, so you are prepared to use this new capability right away.

Many people may choose to preserve the existing Active Directory architecture and migrate the data first when thinking about moving file servers to the cloud. With this preview release, we eliminated any client environment changes necessary for Azure Files to operate seamlessly with the current Active Directory. Using a single sign-on interface, you can log into an Active Directory domain-joined machine and access an Azure file share. Additionally, you can keep all current NTFS DACLs that have been set up on the directories and files over time and have them enforced the same way. Simply arrange tiering or robust file copy (robocopy) to migrate your files with ACLs from on-premises Windows file servers to Azure Files with Azur file sync. We also made a video that explains how to set up Azure Files to take the place of an on-premises server, including AD authentication.

Azure Files can do a better job of storing user profiles for Virtual Desktop Infrastructure (VDI) with AD authentication. The most typical setup uses Windows Virtual Desktop to extend your on-premises workspace, and Active Directory is still used to control the hosting environment. When a user logs into a virtual session utilising Azure Files as the user profile storage, only the profile of the authorised user is loaded from Azure Files. For handling storage access control in your VDI environment, you don’t need to set up a separate domain service. The most scalable, economical, and serverless file storage option for hosting user profile data is Azure Files.

What’s new?

The most important features that were introduced in the preview are listed below.

· For access to the server message block (SMB), enable Active Directory (AD/AD DS) authentication. Using Active Directory login credentials, you can mount Azure Files from computers that are domain-joined members of Active Directory on-premises or in Azure. For identity-based access control, both the premium and ordinary tiers of Azure Files support leveraging Active Directory as the directory service. On self-managed or Azure Files Sync-managed file shares, Active Directory authentication can be enabled.

· Enforce permissions at the directory and file levels of the share. When Active Directory authentication is enabled for file sharing, the current access control experience is still applied. Utilizing Windows File Explorer and the ICACLS tools, you can configure or persist directory or file level NTFS DACLs after using RBAC for share-level permission control.

· Support file migration from on-premises with ACL persistence over Azure File Sync. Persisting ACLs on Azure Files in the original NTFS DACL format is now supported by Azure File Sync. You have the option to use Azure File Sync to transfer data from on-premises Windows file servers to Azure Files without any interruption. ACLs are persistent in the native format for existing files and directories that are tied to Azure Files through Azure Files Syncs.

Get started and share your experiences

In the territories that the preview supports, you can build a file share and enable authentication using your on-premises or cloud-based Active Directory setup. Here are links to documentation that provides comprehensive instructions on how to use the feature’s capabilities step-by-step.
https://docs.microsoft.com/en-us/azure/storage/files/storage-files-active-directory-overview
https://aka.ms/azurefiles/adsetup