Azure Files allows you to access file shares in Azure, but until recently use was restricted to RBAC permission. Azure Files SMB Access for Azure AD Domain Services is generally available and support for Windows AD is now in public preview. This video goes over how to enable Azure Files for SMB access secured with your on-premises Windows AD Directory Services.
This video covers creating a Storage Account, Azure Files Share and set NTFS style premonitions on the files and directories in the share.
Link to the Azure Files Script:
https://github.com/Azure-Samples/azure-files-samples/releases
Set Execution Policy:
Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Scope CurrentUser
Copy files:
.\CopyToPSPath.ps1
Import the AzFilesHybrid Module:
Import-Module -Name AzFilesHybrid
Set the variables:
$SubscriptionId = "<your-subscription-id-here>"
$ResourceGroupName = "<resource-group-name-here>"
$StorageAccountName = "<storage-account-name-here>"
Set the session to the Azure Subscription:
Select-AzSubscription -SubscriptionId $SubscriptionId
Register the storage account with Windows AD:
Join-AzStorageAccountForAuth `
-ResourceGroupName $ResourceGroupName `
-Name $StorageAccountName `
-DomainAccountType "<ComputerAccount|ServiceLogonAccount>" `
#-OrganizationalUnitName "<ou-name-here>"
# OR USE A DISTINGUISHED NAME
-OrganizationalUnitDistinguishedName "<ou-distinguishedname-here>"
Confirm the settings:
# Get the target storage account
$storageaccount = Get-AzStorageAccount `
-ResourceGroupName $ResourceGroupName `
-Name $StorageAccountName
# List the directory service of the selected service account $storageAccount.AzureFilesIdentityBasedAuth.DirectoryServiceOptions
# List the directory domain information if the storage account has enabled
#AD DS authentication for file shares
$storageAccount.AzureFilesIdentityBasedAuth.ActiveDirectoryProperties
23 thoughts on “Azure Files SMB Access with Windows AD”
Hello there I have been trying to follow your Youtube VID, and getting stuck trying to join teh storge account to my AD. I keep getting the following
Hello I have been following along in your youtube VID. I seem to be getting stuck joining the Storage account to my local AD. Any idea what my issue is here.
Error I am getting is below
Unable to find type [Microsoft.Azure.Commands.Management.Storage.Models.PSStorageAccount].
At C:\Users\bdpbmain\Documents\WindowsPowerShell\Modules\AzFilesHybrid\0.1.2.0\AzFilesHybrid.psm1:3496 char:9
+ [Microsoft.Azure.Commands.Management.Storage.Models.PSStorage …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (Microsoft.Azure…SStorageAccount:TypeName) [], RuntimeException
+ FullyQualifiedErrorId : TypeNotFound
Did you install the AzFilesHybrid module?
https://docs.microsoft.com/en-us/azure/storage/files/storage-files-identity-auth-active-directory-enable#11-script-prerequisites
Yes sir, I finally got it working. not sure what changed but im good now, thank you!
I’m not able to import the AzFilesHybrid module, I get this error when attempting that:
PS C:\temp\AzFilesHybrid> Import-Module -Name AzFilesHybrid -Force
Import-Module : The specified module ‘Az.Network’ was not loaded because no valid module file was found in any module directory.
At C:\Program Files\WindowsPowerShell\Modules\AzFilesHybrid\0.2.0.0\AzFilesHybrid.psm1:947 char:5
+ Import-Module -Name Az.Network -Global -ErrorAction Stop
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ResourceUnavailable: (Az.Network:String) [Import-Module], FileNotFoundException
+ FullyQualifiedErrorId : Modules_ModuleNotFound,Microsoft.PowerShell.Commands.ImportModuleCommand
Import-Module : The module to process ‘AzFilesHybrid.psm1’, listed in field ‘ModuleToProcess/RootModule’ of module manifest ‘C:\Program
Files\WindowsPowerShell\Modules\AzFilesHybrid\0.2.0.0\AzFilesHybrid.psd1’ was not processed because no valid module was found in any module directory.
At line:1 char:1
+ Import-Module -Name AzFilesHybrid -Force
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ResourceUnavailable: (AzFilesHybrid:String) [Import-Module], PSInvalidOperationException
+ FullyQualifiedErrorId : Modules_ModuleFileNotFound,Microsoft.PowerShell.Commands.ImportModuleCommand
I also tried installing the Az module first (Install-Module -Name Az -AllowClobber -Scope CurrentUser), then rerunning the AzFilesHybrid module – still fails…
Any idea what the root cause is?
I ran in to this and had to install the az.network module first. I also copied the directory to C:\Windows\System32\WindowsPowerShell\v1.0\Modules but I don’t think it was necessary.
Install-Module az.network
Question..
What if you want to create multiple shares and map them?
Is it one share per SA?
A storage account can have multiple shares.
Thanks for the video! Well covered and easy to followed. I followed the tutorial and created a share using a computer account. The share is working as expected and NTFS permissions are are committing successfully. My issue: I created a second file share mirroring steps for share creation. I’m having an issue managing NTFS perms on the second share. IAM is the same for both. I’m getting about not being able to determine the computer named (Name) is jointed to the domain.
Hi, Great article – I also watched your videos on Youtube.
Couple of questions regarding the DNS setup for the endpoint…watching some content from MS they have a setup where they leverage a DNS conditional forwarder to point to a set of DNS server is their Azure environment, which in turn has a forwarder configured to point to an IP, which according to them is a special reserved IP address and is the same in every vNET. This is WAY more complicated that the setup you reference on your video….Can you speak to this at all? I understand the DNS piece, I’m just wondering why architecturally they would opt for something so complex….
They went on to say they would have ARM templates available to provide this setup, but I haven’t been able to find these anywhere – I don’t suppose you have knowledge of that either?
Thanks!
BEN
It could be that method does not require adding a new host record in DNS. If the IP address was 168.63.129.16, this article may help explain what it’s for. https://docs.microsoft.com/en-us/azure/virtual-network/what-is-ip-address-168-63-129-16
Hi, great video. Question, do I have to do the mount as Super User for each VM in a given VNET for then to be able to access as one of the Users in the Domain Groups?
Because I managed to add the NTFS access to a given group but when I try to connect from another VM it does not work. Thanks.
As long as the server is domain joined and has access to A DC it should work like a normal SMB share.
Hi,
Your command `Import-Module -Name AzFilesHybrid` does not seem to work:
PS C:\Users\azureuser\Downloads\AzFilesHybrid> Import-Module -Name AzFilesHybrid
Request-PowerShellGetModule : PowerShellGet was not successfully installed, and is a requirement of this module. See
https://docs.microsoft.com/powershell/scripting/gallery/installing-psget for information on how to manually troubleshoot the PowerShellGet installation.
At C:\Program Files\WindowsPowerShell\Modules\AzFilesHybrid\0.2.0.0\AzFilesHybrid.psm1:5562 char:5
+ Request-PowerShellGetModule
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException
+ FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Request-PowerShellGetModule
Import-Module : The module to process ‘AzFilesHybrid.psm1’, listed in field ‘ModuleToProcess/RootModule’ of module manifest ‘C:\Program
Files\WindowsPowerShell\Modules\AzFilesHybrid\0.2.0.0\AzFilesHybrid.psd1’ was not processed because no valid module was found in any module directory.
At line:1 char:1
+ Import-Module -Name AzFilesHybrid
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ResourceUnavailable: (AzFilesHybrid:String) [Import-Module], PSInvalidOperationException
+ FullyQualifiedErrorId : Modules_ModuleFileNotFound,Microsoft.PowerShell.Commands.ImportModuleCommand
PS C:\Users\azureuser\Downloads\AzFilesHybrid>
Hey there, great video only one that helped me get this working,
One question i have is do all Users and group all need to be synced to Azure AD from you AD DS to be able to access the file share?
Thanks
Thank you for the great video but I am facing an issue with Join domain command, after I run it, I receive following error:
ensure-kerb key exists : caught exception: an operation is currently performing on this storage account that requires exclusive access.
For me when running join-AzStorageAccountForAuth I always get an error before it finishes.
Get-AzStorageAccountADObject : AD object is of unsupported object class organizationalUnit computer.
At C:\Users\…\Modules\AzFilesHybrid\0.2.3.0\AzFilesHybrid.psm1:3758 char:33
+ $azureStorageIdentity = Get-AzStorageAccountADObject `
Any fixes?
Nevermind on the last one about the error. I had a OU with the same name as the storage account (and thus computer name) and it was finding the OU instead.
Thanks for the update!
heyy,, same thing happened to me, storage account name was conflicting that why giving error
your comment has solved my issue after 3 hrs of troubleshooting 🙂
PS C:\temp\AzFilesHybrid> Join-AzStorageAccountForAuth `
-ResourceGroupName $ResourceGroupName `
-Name $StorageAccountName `
-DomainAccountType “ServiceLogonAccount” `
-OrganizationalUnitDistinguishedName “OU=AzureFileShare,DC=****,DC=local”
WARNING: Parameter -DomainAccountType is ‘ServiceLogonAccount’, which will not be supported AES256 encryption for Kerberos ti
ckets.
Get-AzResourceGroup : 17:08:27 – Provided resource group does not exist.
At C:\Users\administrator.****\Documents\WindowsPowerShell\Modules\AzFilesHybrid\0.2.3.0\AzFilesHybrid.psm1:2060 char:32
+ … $resourceGroupObject = Get-AzResourceGroup -Name $ResourceGroupName
Hi Travis!
I just followed your troubleshooting. One thing I noticed is that the administrator can’t se/editt permissions past 2nd level of folders.
Hello I always get when connecting to the user the message that I now have to enter the password. The groups I have created in the local AD and then online still assign the various permissions. Do you have an idea what this can be?