Azure File AD Integration
Azure File provides two ways to authentication for your Azure file shares. Today, I will show you how to perform Azure File AD integration in a simplified way.
Join the DZone community and get the full member experience.Join For Free
Today I am going to show you how to perform Azure File AD integration in a simplified way. I hope you will enjoy this blog like my previous one.
Let's understand the Azure File role. It works as Distributed File System (DFS), which means I can share folder/file with multiple clients at the same time. The client computer has to map the drive and start sharing the data within the team through it.
Azure File provides two ways to authentication, one is via storage key and another is via Active directory. We are going to see how to enable AD integration on Azure File. Enabling AD DS authentication for your Azure file shares allows you to authenticate your Azure file shares with your on-prem AD DS credentials.
First, understand the pre-requisite for this activity:
- AD DS environment in sync with Azure AD
- Separate Organizational OU to be created in On-premise AD server to add a storage account object
- Need domain admin permission to execute PowerShell command for Storage account AD integration
- Microsoft URLs will be whitelisted to connect to Azure subscription for AD integration if the proxy is in a place
- AzFileHybrid module to be copied in the domain-joined machine to execute the first time
- Owner permission on Azure subscription to give SMB level permission to user or group
- The storage account name should not be more than 15 character
First, validate if Directory sync is in place before moving further.
- On-premise domain - sagarcloud.cf
- Azure AD domain - sagarcloud.cf
Below are the deployment steps:
1. Azure File Set-up
Enabling the service endpoint to limit Azure files access:
Once it is done then create a folder and upload the files:
2. Azure File Ad Integration
Login into the domain-joined client machine with domain admin credential, download the AzFileHybrid module and run the script.
Import the module and set the variable:
# Import AzFilesHybrid module Import-Module -Name AzFilesHybrid #Connect to Azure Subecription Connect-AzAccount #Define parameters $SubscriptionId = "<your-subscription-id-here>" $ResourceGroupName = "<resource-group-name-here>" $StorageAccountName = "<storage-account-name-here>" $DomainAccountType = "ComputerAccount" $OuDistinguishedName = "<ou-distinguishedname-here>" $EncryptionType = "<AES256|RC4|AES256,RC4>"
Join the storage account to a domain:
Join-AzStorageAccountForAuth ` -ResourceGroupName $ResourceGroupName ` -StorageAccountName $StorageAccountName ` -DomainAccountType $DomainAccountType ` -OrganizationalUnitDistinguishedName $OuDistinguishedName ` -EncryptionType $EncryptionType
Output as below:
After executing the above command successfully, you can notice a storage account object is added. Also “AD configured” is enabled on the Azure file share portal:
3. Provide Share Level Permission
There are three types of roles you see in the Azure file share:
a) Storage File Data SMB Share Reader - Allows for read access to files and directories
b) Storage File Data SMB Share Contributor - Allows for read, write, and delete access on files and directories
c) Storage File Data SMB Share Elevated Contributor - Allows for read, write, delete, and modify ACLs on files and directories
In our demo, we are going with "Storage File Data SMB Share Contributor " level permission on hybridfilessharegroup named group:
4. Assign Directory and File-Level Permission
Run the below command to mount the drive. Once Drive is mounted and provide the required permission to the AD group:
net use <desired-drive-letter>: \\<storage-account-name>.file.core.windows.net\<share-name> /user:Azure\<storage-account-name> <storage-account-key>
Now login into the client machine with a domain user account who are part of hybridfilesharegroup AD DS group and map the drive with command:
net use y: \\filesg01.file.core.windows.net\fileshare1
Once the drive is available, log in-off multiple times to check if the mapped drive retain.
5. Update Password of AD object
There is a similarity between the action of this command and storage account key rotation. To be more specific, it uses the second Kerberos key of the storage account to update the registered account's password in AD DS. To prevent password rotation, you can put the storage account AD object in a separate organizational unit and disable group policy inheritance.
Now our storage account is ready to map with other client machines, provide authorized domain users a "net use command" as shown in section #3 and they can easily map the azure file share and copy the data.
Thanks for reading. Share your feedback.
Opinions expressed by DZone contributors are their own.