Azure File Share & AD DS Authentication (Access Denied)

Daniel Halawi 1 Reputation point
2020-10-29T15:09:53.013+00:00

Hi all,

I am having difficulties getting Azure Files to authentication using AD DS.

Landscape

Azure Active Directory (Cloud Only) Users
Active Directory Domain Services (AD DS) - Sync with AAD Tenant
VM - Domain Joined to AD DS
Azure Files Share joined & enabled to Active Directory Domain Services (AD DS)
Location Storage Same Region as all of the above
Private Endpoint in the Same VNET as the above

I can connect to the file share correctly using the access key.

But signing in as a AD Users on the VM, i keep getting access denied when attempting to connected to the fileshare.

I have followed all the prerequisites on https://learn.microsoft.com/en-us/azure/storage/files/storage-files-identity-auth-active-directory-domain-service-enable?tabs=azure-portal#prerequisites

Any help or advise would be great.

Azure Files
Azure Files
An Azure service that offers file shares in the cloud.
1,170 questions
0 comments

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. deherman-MSFT 33,701 Reputation points Microsoft Employee
    2020-10-29T22:42:38.22+00:00

    @Daniel Halawi
    Have a look at solution for cause 3 from our troubleshooting page. From the description of your environment it sounds like the user might be a cloud only identity. The identity you want to access Azure file share resources with must be a hybrid identity that exists in both AD DS and Azure AD. Please check our page which goes over this in more detail.

    Please check this and let me know if it resolves your issue.

    -------------------------------

    Please don’t forget to "Accept the answer" and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

    0 comments
  2. Daniel Halawi 1 Reputation point
    2020-10-30T09:10:02.187+00:00

    @deherman-MSFT ,

    Thanks for coming back to me.

    So to confirm, I have a cloud only user, that is sync'd from Azure Active Directory into Azure Active Directory Domain Services.

    I want the cloud only users to be able to access the file storage for the purpose of FSLogix profiles in Windows Virtual Desktop, how would you recommend the best approach to this would be?

    I have assigned the cloud only user into the "Storage File Data SMB Share Contributor" role on the IAM of the file share. The VM is domain joined to the Azure Active Directory Domain Services.

    Your help is very much appreciated.

    Daniel

    0 comments
  3. Daniel Halawi 1 Reputation point
    2020-10-30T09:44:21.667+00:00

    Hi,

    I have managed to resolve this now... turned of Active Directory DS and enabled "Identity-based access for files shares". This resolved my issue, confusion caused by contradiction between AAD-DS and AD DS on my part.

    36180-image.png