Share via

How to access a SMB Share with a Mac via Microsoft Entra Kerberos authentication for hybrid identities on Azure Files WITH EFFECTIVE NTFS PERMISSIONS

Der_Andreas 40 Reputation points
2024-03-15T10:02:30.1133333+00:00

Dear Community,

My Goal:

The goal is to access a SMB share with a Mac via Azure Files with effective NTFS permissions provided through Kerberos authentication in a Microsoft Entra for hybrid identities environment.

 

What works for Windows machines:

In our local environment where a Mac accesses a SMB share the NTFS permissions will work, since they are only bound to the Windows user account. The share can be mounted with the windows user account and thus the NTFS permissions will be effective.

So we have a hybrid environment and therefore use the Microsoft Entra Kerberos authentication for hybrid identities on Azure Files

For Windows Machines this all works. SMB shares vie Azure Files and Kerberos authentication does work as described in the article. NTFS permissions work as they should.

We do not use Intune so far.

What results for Mac machines /users:

Even though it is possible to give a Mac user access to the SMB share with the storage account key as described in Mount SMB file share on macOS this is not a solution for effective NTFS permissions for the user since the storage account keys give you full administrative permissions.

What I tried so far:

Adding the Mac into our local Active Directory (it wasn’t necessary before) to have it synced with the sync agent to Microsoft Entra Devices. This does not work. I tried using the GUI version in macOS itself and the dsconfigad command. Both variants didn’t result in getting the device synced to the devices in Entra ID. So I suppose this is not at all possible.

Resulting questions:

1.       Is it at all possible to get the Mac in the registered devices and therefor getting effective NTFS permissions working?

2.       If number 1 doesn’t work would it be possible to do this with Microsoft Intune Enrollment in whatever way ?

3.       Is it at all possible if both of the mentioned ways won’t work?

Any advice would be much appreciated. THANK YOU,

Greetings from Germany

Andreas

I did post the question in a sligthly different way (probably in the wrong place: https://learn.microsoft.com/en-us/answers/questions/1616425/how-to-access-a-smb-share-with-a-mac-via-microsoft)

Azure Files
Azure Files
An Azure service that offers file shares in the cloud.
1,186 questions
0 comments
Accepted answer
  1. Sumarigo-MSFT 44,096 Reputation points Microsoft Employee
    2024-03-15T10:25:50.2066667+00:00

    @Der_Andreas Thank you for posting your query here! Welcome to Microsoft Q&A Forum.

    If you have the  Mac clients, the current recommendation is to use [Azure File sync] (to access Azure file shares) since Azure Files does not currently support Kerberos auth for Mac clients.

    If you wish you may leave your feedback here. All the feedback you share in these forums will be monitored and reviewed by the Microsoft engineering teams responsible for building Azure.

    One of your engineers has responded to your thread (ID: 1616425), and your query has been addressed. please let us know if you have any further queries. I’m happy to assist you further.    

    Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

    1 person found this answer helpful.
    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest