question

gisgeezer avatar image
0 Votes"
gisgeezer asked ·

Permanently mapping Azure file share from Azure VM

Hi

We have an Azure VM and an Azure file share set up and want to use the file share to store configuration for some COTS applications that run on the VM as services under an Azure AD synced service account.

To acheive this, I beleive the file share needs to be permanently mounted and accessible from the VM, not just for the currently logged in user, but also for the service account that the COTS software is running under.

I have read various posts and have tried several things, including net use commands and powershell (e.g. New-SmbGlobalMapping) in an attempt to permenantly map the file share. However, these only appear to work either within powershell or for the currently logged in user.

This MUST be possible, so can somebody please explain what the best practice way to permanently map an Azure file share on an Azure VM for all users, (including the service account) is?

If mapping the file share as a drive on the VM is not the right solution, please can someone explain what the best practice way to do this is?

The goal is eventually to use the file share across multiple load balanced VMs that all share the same configuration, which is stored on the file share.

Any assistance/experience would be much appreciated.

azure-files
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Sumarigo-MSFT avatar image
1 Vote"
Sumarigo-MSFT answered ·

@gisgeezer Dealing with cmdkey, especially with service accounts, it's bit hardness . I recommend, if possible, If you are using Active Directory to enable access to their file share. All they need to do is give their service account access via RBAC once AD is configured and they should be good.


Additional information: If you have a service which is authenticated using a domain-based service account on a Windows Server 2019 server. At logon a script runs which maps a drive to an Azure File Share on the server. However, while the share can be accessed via the full UNC path of the file share, it cannot be reached by the drive mapping. When logged in as an interactive user, the drive letter is fine. Customer wants to know if is it possible to access a drive mapping from a non-interactive service.



The following approaches that are better explained in these articles:
https://techcommunity.microsoft.com/t5/itops-talk-blog/tips-amp-tricks-for-azure-file-shares/ba-p/277943


Access issues with an application or service account
If your application or service is running under a different user account than what the drive is mounted with, you may experience an issue where the application or service account cannot accessing the Azure file share. Some workarounds :
 Mount the drive from the same user account that contains the application. You can use a tool such as PsExec.
 Pass the storage account name and key in the user name and password parameters of the net use command.
 Use the cmdkey command to add the credentials into Credential Manager. Perform this from a command line under the service account context, either through an interactive login or by using runas.



 Map the share directly without using a mapped drive letter. Some applications may not reconnect to the drive letter properly, so using the full UNC path may be more reliable.



https://blogs.iis.net/davidso/azurefile
https://social.msdn.microsoft.com/Forums/en-US/b55aa80a-130b-4c7d-8d0f-0907a360a0a1/mount-azure-file-store-for-iis-application-pool


Hope this helps!
Kindly let us know if the above helps or you need further assistance on this issue.





Please don’t forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.


· 2 ·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@gisgeezer Just checking in to see if the above answer helped. If this answers your query, please don’t forget to "Accept the answer" and Up-Vote for the same, which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.

0 Votes 0 ·

@gisgeezer Just checking in to see if the above answer helped. If this answers your query, please don’t forget to "Accept the answer" and Up-Vote for the same, which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.

0 Votes 0 ·
Sumarigo-MSFT avatar image
0 Votes"
Sumarigo-MSFT answered ·

@gisgeezer Just checking in to see if the above answer helped. If this answers your query, please don’t forget to "Accept the answer" and Up-Vote for the same, which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.

· 3 ·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks for the info @Sumarigo-MSFT, which is very helpful. The AD access using RBAC sounds like the best solution. I have been on leave, so will pick this up with the customer's Dev Ops team.

I will also try some of the other solutions you proposed.

0 Votes 0 ·

@gisgeezer Just checking in to see if the above answer helped. If this answers your query, please don’t forget to "Accept the answer" and Up-Vote for the same, which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.

0 Votes 0 ·

@Sumarigo-MSFT - Just to confirm, we have used the cmdkey method, running this from command-line as the service account and this is working for us. We are also still looking into the AD/RBAC approach.


Thanks very much for your help.


0 Votes 0 ·