Dealing with File shares and Intune/AAD joined computers

Question

Hey everyone

I have a client of around 100 - 150 users. There production file share has moved to Sharepoint, but i have around 4tb of data which they use for reference quiet often. With share permissions currently on a file server.

We are currently moving computers off the domain and enrolling them into AAD. We started a few intune policies which are working perfectly.

The goal is if possible can i create a storage account in azure for the 4tb of data. Of course there will be multiple containers with different access keys. and have intune configure the map drive to the pc's. so the user never gets the access keys this way i kinda control the permissions.

Also would you guys know a way to use rbac rules in case they get hold of the access keys on the containers in the storage.

thanks for all the help and if you have other suggestions i am opened to it

Answer 1

@stavros mitchell

For Azure Files you can authenticate with Azure AD DS. You can assign access permissions to the identities. As recommended in our docs I recommend reading through our planning guide. I am unfamiliar with intune, but you can refer to our documentation on mounting with Windows which might be helpful.

Hope this helps. Let me know if you have any specific questions or issues and I will be happy to help.

-------------------------------

Please don’t forget to "Accept the answer" and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

Answer 2

@stavros mitchell From Intune side, to configure drive mapping via Intune, we can use script to do this. Here are some links for the reference:
https://techblog.ptschumi.ch/microsoft-365/intune-endpoint-manager/intune-logon-script-and-drive-mapping-how-to/
https://www.2azure.nl/2019/09/07/create-a-drive-mapping-using-intune-on-azure-ad-joined-devices-manual/
Note:on-microsoft link, just for the reference.

Hope it can help.

---

If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Answer 3

Any update to this? I have a customer with 4 million files I have copied up to Azure Files but I require Identity Based Auth and we are moving everything to Azure AD Joined machines as per Microsoft's huge push and the benefits of Azure AD Only. Users access the data via Windows Explorer and the sync client for One Drive has a 300,000 limit. The data is best access from a share.

Answer 4

The file share setup we currently have still uses a managed domain through AD housed on 2 Azure VM DCs. We connected our on-premises network to Azure with a S2S VPN tunnel, and our remote users connect to the network using P2S tunnels from the Azure VPN Client. We have a couple file shares configured at our offices on Windows 10 machines.

I was worried the file shares would begin failing if we moved our remote users from Hybrid Azure AD-joined machines to Azure AD-joined machines, but as long as the user is configured in AD, when they connect to the VPN they're still able to access the file shares even though the machines are not configured in AD. The file shares themselves are on machines that are configured in AD, but the laptops remote users connect with are not, they're only in Azure AD. This setup also works with file shares configured on the Azure VMs.

Perhaps we will fully migrate away from AD one day, but as an interim step, this allows us to stop dealing with clunky Hybrid Azure AD-joined machines for our remote users.

Hopefully this workaround helps you figure out a solution for your tenant.