question

DanielHalawi-6151 avatar image
0 Votes"
DanielHalawi-6151 asked ·

Azure File Share & AD DS Authentication (Access Denied)

Hi all,

I am having difficulties getting Azure Files to authentication using AD DS.

Landscape

Azure Active Directory (Cloud Only) Users
Active Directory Domain Services (AD DS) - Sync with AAD Tenant
VM - Domain Joined to AD DS
Azure Files Share joined & enabled to Active Directory Domain Services (AD DS)
Location Storage Same Region as all of the above
Private Endpoint in the Same VNET as the above

I can connect to the file share correctly using the access key.

But signing in as a AD Users on the VM, i keep getting access denied when attempting to connected to the fileshare.

I have followed all the prerequisites on https://docs.microsoft.com/en-us/azure/storage/files/storage-files-identity-auth-active-directory-domain-service-enable?tabs=azure-portal#prerequisites

Any help or advise would be great.

azure-files
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

deherman-MSFT avatar image
0 Votes"
deherman-MSFT answered ·

@DanielHalawi-6151
Have a look at solution for cause 3 from our troubleshooting page. From the description of your environment it sounds like the user might be a cloud only identity. The identity you want to access Azure file share resources with must be a hybrid identity that exists in both AD DS and Azure AD. Please check our page which goes over this in more detail.

Please check this and let me know if it resolves your issue.



Please don’t forget to "Accept the answer" and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DanielHalawi-6151 avatar image
0 Votes"
DanielHalawi-6151 answered ·

@deherman-MSFT,

Thanks for coming back to me.

So to confirm, I have a cloud only user, that is sync'd from Azure Active Directory into Azure Active Directory Domain Services.

I want the cloud only users to be able to access the file storage for the purpose of FSLogix profiles in Windows Virtual Desktop, how would you recommend the best approach to this would be?

I have assigned the cloud only user into the "Storage File Data SMB Share Contributor" role on the IAM of the file share. The VM is domain joined to the Azure Active Directory Domain Services.

Your help is very much appreciated.

Daniel

·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DanielHalawi-6151 avatar image
0 Votes"
DanielHalawi-6151 answered ·

Hi,

I have managed to resolve this now... turned of Active Directory DS and enabled "Identity-based access for files shares". This resolved my issue, confusion caused by contradiction between AAD-DS and AD DS on my part.


36180-image.png



image.png (75.9 KiB)
· 1 ·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.


@DanielHalawi-6151 Glad to hear that issue got fixed. Appreciate for sharing the steps which helped you, please accept your answer this would certainly benefit other community members,

0 Votes 0 ·