Going through your list of videos about Azure one by one, really get knocked out by how great they are, many thanks, please keep the ball rolling for the sake of learners around the world.
Its a fantastic feature. Now if only i could get it working for my environment. As my on premises active directory is sync'd to azure but all users log in to azure(windows 10 azure AD join) with a UPN enabled through domains and trusts. We require each user to give another credential for the primary domain to map drives to the file share. Surely logging in via a UPN should give you permission to the primary domain resource!! aggghh
What I was really hoping to watch was how can u make the network share automatically point to the correct endpoint between an onprem file sync share and the serverless cloud endpoint seamlessly, like dfs does with namespaces. That would make azure files AMAZING
@@NTFAQGuy yes :) let us see if customers will adopt it, USA region could be more cooperative. As you know the UK is quite conservative when it comes to anything new.... "don't touch it if works" :) :) :) one of the everyday conversation I have with my Boss, nightmare
@@markdoyle3252 The client using does yes to get the kerberos ticket. No you can't do without AD as its AD authentication. the storage account does NOT need line of sight.
@@NTFAQGuy Great thanks for getting back to me. And with AAD DS the client devices have to be joined to the AAD DS domain. So only option for users accessing azure file service from a remote location without vpn is using the access keys?
Hi John, im a bit stuck on a POC deployment for a customer here. Hope you can help me with it. I setup an ADDS with AD Connect on it for the AD Auth. Created a Storage account with a File Share on it, enabled AD Auth on the correct way. Synced some Security Groups so I can decide the Share-level permissions through RBAC. So all of the above worked correctly and I can map the file share as network drive on domain joined laptops etc. I mapped the File share with super user permissions on my test AD and tried to modify the NTFS rights to get it how we wish. So I made a user a member of the SMB Contributor group, and I made a Security Group in AD called ReadOnly where I also made the same user a member. I put the ReadOnly security group on a map in the share, so I expected the user I just made member of the SG & SMB Contributor group that the most restricted permissions would win. But they actually don't, the user can still edit everything. Is there something that I missed maybe?
In ARM the permissions are cumulative. If you give someone read and then in another assignment give them write they will have write. If you are saying on a folder on NTFS directly you set the user with read-only permissions then yes in that folder they should only be able to read if its setup correctly.
Great content! Will be watching more of your videos. Our laptops are Intune Azure AD joined but users are On Prem AD joined and synced to Azure AD. I would think this should work (as the user principal remains the same) but do you see gotchas? The machines never talk to the domain controllers (and are in fact, offsite).
No that won’t work as if they don’t talk to domain controllers then they won’t talk Kerberos. You would need to use the azure ad integrated option for integration. Good luck.
Amazing Stuff.As an alternative,cant we use SharePoint Online. SharePoint will take care of the required permissions and also provide ways to map your drive with document library(I believe it uses "web dav" for that).
Great video as always John. Can i confirm, for customers with cloud only solutions (using Azure AD for identities) does this mean we would have to set up Azure ADDS (i.e we could use the Azure AD already in place)?
@@NTFAQGuy Many thanks John. I think this is where my confusion lye, all the MS documents point towards having to have AADDS for the tenant (or On-Prem ADDS). I cant find anything that states/shows how you achieve ACLs on a file share with Azure AD.
Sorry. I didn’t put the comment with the video :) ok, if you want azure files acls then yes you either need aadds or regular adds, sorry. There are two flavors available. If you don’t have adds today then aadds would be the way to go.
Thank you John, stoked the functionality has finally arrived to use on-prem AD! Interested to know how old your Pluralsight training for AZ-103 is & if it's still relevant for studying towards Az-104? According to Pluralsight's website it was updated June 23 2020 which doesn't make sense as this update on TH-cam is from Feb.
Great video, thank you John! I have a question though. The best practice for on-prem file shares was to grant Everyone the Full Control access at the "Share" level and then use ACLs at the Folder/File level to secure your share. This way you only need to worry about 1 set of permissions. Can we still do something similar with this integration? Or will I have to manage 2 sets of permissions (Azure RBAC roles, and ACLs for Folders/Files)?
@@NTFAQGuy Thanks. So would I just assign everyone the SMB Elevated Contributor role in RBAC, would that be the same as the old "Full Control" share permission? One area where I'm getting hung up is the root folder NTFS permissions. Am I able to change that with an Azure File Share? For instance, assign NTFS read-only permissions at the root folder level, to stop people from creating top-level folders.
BazookaMan3 Right, that would be equivalent to the full control on the share. Read docs.microsoft.com/en-us/azure/storage/files/storage-files-identity-auth-active-directory-enable which goes through the root permissions.
Hi John, Many companies are using Sharepoint online to store documents. I would like to know what is the difference between storing files in Sharepoint online vs Azure files & the pros & cons of each. I'm battling to find anything online that explains this well.
Azure files is just an smb share ultimately where as share point is a complete collaboration platform with rights management, co authoring and much more.
Hey John, thank-you for this video; it really helped me crack some issues that we were having with AD based permissions on Azure Files / get my head around how things fitted together. One question: do you know if Access Based Enumeration (i.e. the ability to hide content to which the user does not have access) exists in Azure Files? Thank-you in advance.
When a search a mounted share, where does the search happen? if your local site goes down does the authentication still happen across azure for remote users?
This is great for remote workers on their domain joined machines so they don't have to VPN in to get access to a file server. But for on-prem users, isn't using Azure File Sync (with recent data cached locally) still a more efficient method? Otherwise, all on-prem users have to traverse the WAN to Azure to access the files.
I believe that they do still have to VPN into the on-prem AD for authentication. So for me, it's not quite the game-changer we're looking for. Don't get me wrong, turning file servers off is a big step forward, but what we really need is for this to work without a VPN. That would be the game-changer for me. What do you think John?
Hi John. A little confused with this. Considering we have all users synced from different domains, should all users be able to authenticate to the file share that is domain joined to an Azure VM? Does the VM need to be domain joined to on-premise domain?
Hi John, great video. Can an on-premise enduser connect SMB3.0 over the internet to the pubic endpoint of the Azure file share or does it require a private endpoint with express route/VPN? Thanks
Hi John, I have a customer with 600 Windows 10 laptops. All users login to the Windows 10 machine using the Azure AD (M365) login. All devices are also managed by Intune and Azure AD joined. They have never had onsite AD, everything is serverless. We spun up AzureFiles but can't get Azure AD DS to authenticate. All Microsoft documentation keeps talking about computers need to be domain joined. Am I doing something wrong here, and if we take a step back, how do I use AzureFiles with 600 Windows 10 devices that are Azure AD domain joined and managed by Intune?
this is for AD domain joined which you are not so this won't work. Azure AD is not the same as AD. There is an Azure AD joined alternative which may work or if you are all modern something like onedrive and sharepoint may be better fit.
@@NTFAQGuy Thank you John, we are currently on OneDrive/Sharepoint but this is a large non tech savvy workforce and OneDrive is not an option. So many issues between files not syncing, file upload fails, having to reset OneDrive, they forget to check that OneDrive is actually syncing etc.
@@BusinessITSolutions Hmmm, well there is an Azure AD Azure Files integration but its not as friendly as the AD integration but may be your only choice.
Hello John, thanks for great video !, I have File servers & AD DS in onpremise , and would like to migrate some file servers into the Azure Files. Will be enough to extend AD DS into Azure with installing IaaS VM DC (and replicating with onprem DCs) + use trick with computer account as you described ? I am asking whether really need to configure AAD Connect and synchronize object from AD DS to AAD. What we will loose if there will be no AD Connect?
I want to unjoin a Storage Account I joined to my local active directory. Whenever I attempt to it, I receive the following message: “An operation is currently performing on this storage account that requires exclusive access.”. What shoud I do???
do you know if there is any chance to allow Azure AD Joined devices to authenticate to Azure Files...? That would be perfect server-less option, fully in the cloud ;)
Hi John, great video! setup File Share and added to File Sync with on-prem, however files/folder created directly on Storage Account does not sync to on-prem share. is this normal? is it possible to have a two-way sync? any advise is highly appreciated. thank you again.
Can an Azure file share be a DFS target? I know azure file sync is an option but I was wondering if we could point the dfs link directly to the azure share.
@@cpgixxer If you want my script its on my repo at github.com/johnthebrit/RandomStuff/tree/master/AzureFilesADIntegration but that MS docs is the full command set and what I used to create my mini version.
In relation to roles in IAM I understand that you need for example "Storage File Data SMB Share Contributor " to manage NTFS permission but for normal user access that just read is normal "Contributor" is enough if he will not be editing permissions but creating new folders etc?
@@NTFAQGuy I understand but if the users don't need to right click on files and edit permission but just access then from what I understand they don't need to use this "Storage File Data SMB Share Contributor". This group is only required for admin and managers that do operation on file ? or actually they need to be in this group to be able to create and delete folders and file because in the end those are SMB operations ?
When you use net use to connect to the share in this instance do you need to authenticate with your AD account or with the storage account key like you do natively?
Hi John, Is there an option I'm missing where we can authenticate to the share using SMB and just AAD. I.e we don't have AADDS or on-premises domain controllers. For example say I just have an AAD registered device (not domain joined) and a AAD User cloud only account. Could that user and device mount the share without needing to use the access keys?
Hi John. Thanks for great video but can you clarify something for me please. If we are using File Sync Replication to azure and we want to use replicated enforced ACLS in azure from on premise (go serverless) in a scenario when on premise is not available do we need to replicate all groups that are in relation to ACLS to cloud (locally users are added to groups and base on that they have access to certain folders) or user accounts with password synchronisation is enough. Is this local computer account is needed if there is a password hash synchronisation enabled ? What we want to have is replication of local shares to cloud and be able to access those shares with same ACLS and not interrupted authentication to all subdirectories in DR scenario when On premise will not be available.
@@NTFAQGuy So ACLS are only enforced when on premise are available O_o ? I thought that they are replicated and when you have password hash replication for users that are synchronised with maybe group synchronisation so Azure AD would take control Authentication and Authorisation to shares and local AD is not taking any part. So i'm still depended on on premise if want to use same ACLS in short ? There is no way to do replica via Azure file sync and access without disruption mapping to cloud when on premise will be offlice with same ACLS working ?
@@NTFAQGuy I'm trying right now to map resource that was replicated to Azure File Shares (storage account) via Azure File Sync to a computer added to local ad with ACL enforcement from ADDS. I want to be able to map those resources with ACL enforcement but not rely on local on prem authentication. This is for DR scenario. I deployed Azure Active Directory Domain Services, enabled "Identity-based access for file shares", added synced users via Azure AD connect to Storage File Data SMB Share Contributor role. All security groups from local AD that are responsible for access to specific directories are also synced. Mapping is working with ACLs enforcement on computer added to ADDS but not working for a computer added to local AD. I suspect that this computer need to have access to ADDS subnet to utilise Kerberos and LDAP so I'm considering VPN to Azure. I guessing that subnet and vnet that computer will have allocated will also need to have route to ADDS subnet. Do I missing something ? If that will be enough ? I want to avoid rejoining computer from local on prem Active Directory to AADDS and I understand that I don't need to add Azure Storage account to on-prem because in this situation authentication will be done by local AD and in situation when it will be not available ACL enforcement will not work so we don't want this step in the process right ?
Nice video...question though. I set this up in a lab and despite all my efforts am getting an error "The password is invalid for \\file.core.windows.net\. I have triple checked settings, verified accounts have synced, run the diags, and all looks ok. But logging in to an AD computer with a user with RBAC roles and NTFS permissions set and trying to mount a drive to the share, I get this error. Any pointers?
John Savill I think RBAC changes take a while - after about an hour this magically started to work. The only thing I can attribute it to is something on the Azure backplane settling.
Going through your list of videos about Azure one by one, really get knocked out by how great they are, many thanks, please keep the ball rolling for the sake of learners around the world.
Loved the flow of this demo. You explained the theoretical and actual setup clearly.
Exceptional overview. Many thanks for it. Now I can see how it works
Finally, Files makes sense for Enterprise Use!
Beautifully explained. That's what I need at work right now.
As usual, super clear explanation with the whiteboard John. Excellent job!
Glad you liked it!
Thanks for this video, compliments your PluralSight video on Azure Files very nicely.
Thank you.
Its a fantastic feature. Now if only i could get it working for my environment. As my on premises active directory is sync'd to azure but all users log in to azure(windows 10 azure AD join) with a UPN enabled through domains and trusts. We require each user to give another credential for the primary domain to map drives to the file share. Surely logging in via a UPN should give you permission to the primary domain resource!! aggghh
Thanks for the very informative video John, Well explained. keep up the great work
Thank you
So well explained as usual John!
What I was really hoping to watch was how can u make the network share automatically point to the correct endpoint between an onprem file sync share and the serverless cloud endpoint seamlessly, like dfs does with namespaces. That would make azure files AMAZING
/me thinks John is very very very excited about this new Azure service, looks very interesting.
lol
been waiting a LONG time for this!
@@NTFAQGuy yes :) let us see if customers will adopt it, USA region could be more cooperative. As you know the UK is quite conservative when it comes to anything new.... "don't touch it if works" :) :) :) one of the everyday conversation I have with my Boss, nightmare
Any scenario where this can be used without the ’classic’ AD and only an AAD?
You would use the hybrid where it creates an aad ds instance based on aad. Ad is always in the picture somewhere :)
Brilliant video, very clear explanation.
Thank tou
@@NTFAQGuy Do you need line of sight to a domain controller when integrating ad ds? is there a way to authenticate without having it?
@@markdoyle3252 The client using does yes to get the kerberos ticket. No you can't do without AD as its AD authentication. the storage account does NOT need line of sight.
@@NTFAQGuy Great thanks for getting back to me. And with AAD DS the client devices have to be joined to the AAD DS domain. So only option for users accessing azure file service from a remote location without vpn is using the access keys?
Hi John, im a bit stuck on a POC deployment for a customer here. Hope you can help me with it.
I setup an ADDS with AD Connect on it for the AD Auth.
Created a Storage account with a File Share on it, enabled AD Auth on the correct way.
Synced some Security Groups so I can decide the Share-level permissions through RBAC.
So all of the above worked correctly and I can map the file share as network drive on domain joined laptops etc.
I mapped the File share with super user permissions on my test AD and tried to modify the NTFS rights to get it how we wish. So I made a user a member of the SMB Contributor group, and I made a Security Group in AD called ReadOnly where I also made the same user a member. I put the ReadOnly security group on a map in the share, so I expected the user I just made member of the SG & SMB Contributor group that the most restricted permissions would win. But they actually don't, the user can still edit everything.
Is there something that I missed maybe?
In ARM the permissions are cumulative. If you give someone read and then in another assignment give them write they will have write. If you are saying on a folder on NTFS directly you set the user with read-only permissions then yes in that folder they should only be able to read if its setup correctly.
Great content! Will be watching more of your videos.
Our laptops are Intune Azure AD joined but users are On Prem AD joined and synced to Azure AD. I would think this should work (as the user principal remains the same) but do you see gotchas? The machines never talk to the domain controllers (and are in fact, offsite).
No that won’t work as if they don’t talk to domain controllers then they won’t talk Kerberos. You would need to use the azure ad integrated option for integration. Good luck.
thanks John
For tiny companies (
many companies bigger than that as well :-)
Amazing Stuff.As an alternative,cant we use SharePoint Online.
SharePoint will take care of the required permissions and also provide ways to map your drive with document library(I believe it uses "web dav" for that).
Certainly you can use SharePoint/Ondrive for business as another mechanism and even sync o4b to desktop.
Great video! Wondering if this possible without AD Connect to Azure AD? With just Azure AD and Azure Active Directory Services?
Yes, that is the azure ad integrated option. You can integrate either with ad or azure ad with aad ds.
Great video as always John.
Can i confirm, for customers with cloud only solutions (using Azure AD for identities) does this mean we would have to set up Azure ADDS (i.e we could use the Azure AD already in place)?
You don’t need aadds unless you have some requirement on legacy auth like kerberos or ntlm by an app. If you’d are all modern then just have aad.
@@NTFAQGuy Many thanks John. I think this is where my confusion lye, all the MS documents point towards having to have AADDS for the tenant (or On-Prem ADDS). I cant find anything that states/shows how you achieve ACLs on a file share with Azure AD.
Sorry. I didn’t put the comment with the video :) ok, if you want azure files acls then yes you either need aadds or regular adds, sorry. There are two flavors available. If you don’t have adds today then aadds would be the way to go.
The way TH-cam shows comments on the dashboard I didn’t map the question to the video. My bad :)
@@NTFAQGuy Thanks John - keep up the great work on the videos, awesome stuff.
Hey, nice video! So Am I going to be able to use nested group strategy as do on my on-premisse env?
same kerberos token so things will work the same :-)
Thank you John, stoked the functionality has finally arrived to use on-prem AD! Interested to know how old your Pluralsight training for AZ-103 is & if it's still relevant for studying towards Az-104? According to Pluralsight's website it was updated June 23 2020 which doesn't make sense as this update on TH-cam is from Feb.
The TH-cam and Pluralsight are completely separate. The date on Pluralsight would be accurate.
there are some changes going on right now re courses so not sure when it will be updated. Sorry
@@NTFAQGuy Thanks John, sorry I got confused as I watched the Azure AD authentication PS video and just realized there is another for ADDS.
Great video, thank you John! I have a question though.
The best practice for on-prem file shares was to grant Everyone the Full Control access at the "Share" level and then use ACLs at the Folder/File level to secure your share. This way you only need to worry about 1 set of permissions.
Can we still do something similar with this integration? Or will I have to manage 2 sets of permissions (Azure RBAC roles, and ACLs for Folders/Files)?
You can still do the same thing. RBAC using AAD at the share and then the ACLs on the file/folder can be more restrictive.
@@NTFAQGuy Thanks. So would I just assign everyone the SMB Elevated Contributor role in RBAC, would that be the same as the old "Full Control" share permission?
One area where I'm getting hung up is the root folder NTFS permissions. Am I able to change that with an Azure File Share? For instance, assign NTFS read-only permissions at the root folder level, to stop people from creating top-level folders.
BazookaMan3 Right, that would be equivalent to the full control on the share. Read docs.microsoft.com/en-us/azure/storage/files/storage-files-identity-auth-active-directory-enable which goes through the root permissions.
cheers
Hi John, Many companies are using Sharepoint online to store documents. I would like to know what is the difference between storing files in Sharepoint online vs Azure files & the pros & cons of each. I'm battling to find anything online that explains this well.
Azure files is just an smb share ultimately where as share point is a complete collaboration platform with rights management, co authoring and much more.
Also think about sharing. I can external share with share point online etc
@@NTFAQGuy Thanks John that is helpful!
Hey John, thank-you for this video; it really helped me crack some issues that we were having with AD based permissions on Azure Files / get my head around how things fitted together. One question: do you know if Access Based Enumeration (i.e. the ability to hide content to which the user does not have access) exists in Azure Files? Thank-you in advance.
No ABE today.
When a search a mounted share, where does the search happen? if your local site goes down does the authentication still happen across azure for remote users?
Do you mean if AD is unavailable? If AD is unavailable you won't be able to get a Kerberos ticket so won't have permissions on files/folders.
Hi, a very useful feature. Probably I missed that, but does it require that user accoun is synchronized to azure ad to get access?
Yes for share iac
This is great for remote workers on their domain joined machines so they don't have to VPN in to get access to a file server. But for on-prem users, isn't using Azure File Sync (with recent data cached locally) still a more efficient method? Otherwise, all on-prem users have to traverse the WAN to Azure to access the files.
I believe that they do still have to VPN into the on-prem AD for authentication. So for me, it's not quite the game-changer we're looking for. Don't get me wrong, turning file servers off is a big step forward, but what we really need is for this to work without a VPN. That would be the game-changer for me. What do you think John?
Or with adopting Azure Ad domain services , so it can able to using AFS without VPN
Hi John. A little confused with this. Considering we have all users synced from different domains, should all users be able to authenticate to the file share that is domain joined to an Azure VM? Does the VM need to be domain joined to on-premise domain?
If you were to remove the on prem AD would this model still work for AAD Joined Win10 PC's?
No but you could use the AAD integration azure files model.
Hi John, great video. Can an on-premise enduser connect SMB3.0 over the internet to the pubic endpoint of the Azure file share or does it require a private endpoint with express route/VPN?
Thanks
With smb 3 yes as it has encryption but does require Corp firewalls to allow which is not likely hence vpn etc likely required.
Hi John,
I have a customer with 600 Windows 10 laptops. All users login to the Windows 10 machine using the Azure AD (M365) login. All devices are also managed by Intune and Azure AD joined. They have never had onsite AD, everything is serverless.
We spun up AzureFiles but can't get Azure AD DS to authenticate. All Microsoft documentation keeps talking about computers need to be domain joined. Am I doing something wrong here, and if we take a step back, how do I use AzureFiles with 600 Windows 10 devices that are Azure AD domain joined and managed by Intune?
this is for AD domain joined which you are not so this won't work. Azure AD is not the same as AD. There is an Azure AD joined alternative which may work or if you are all modern something like onedrive and sharepoint may be better fit.
@@NTFAQGuy Thank you John, we are currently on OneDrive/Sharepoint but this is a large non tech savvy workforce and OneDrive is not an option. So many issues between files not syncing, file upload fails, having to reset OneDrive, they forget to check that OneDrive is actually syncing etc.
@@BusinessITSolutions Hmmm, well there is an Azure AD Azure Files integration but its not as friendly as the AD integration but may be your only choice.
Hello John, thanks for great video !,
I have File servers & AD DS in onpremise , and would like to migrate some file servers into the Azure Files. Will be enough to extend AD DS into Azure with installing IaaS VM DC (and replicating with onprem DCs) + use trick with computer account as you described ? I am asking whether really need to configure AAD Connect and synchronize object from AD DS to AAD. What we will loose if there will be no AD Connect?
No, you have to have AAD sync'ing from AD so AAD has the objects or you have no way to give RBAC to the share for a user.
@@NTFAQGuy thanks a lot, you are right
Is the word "acls" a thing ? I thought it was ACLs I wondering initially when I first heard it
Same
I want to unjoin a Storage Account I joined to my local active directory. Whenever I attempt to it, I receive the following message: “An operation is currently performing on this storage account that requires exclusive access.”. What shoud I do???
Not seen that error. Make sure you are owner or contributor on the storage account.
do you know if there is any chance to allow Azure AD Joined devices to authenticate to Azure Files...? That would be perfect server-less option, fully in the cloud ;)
you have to have AD in there somewhere. either AADDS or ADDS.
Hi John, great video! setup File Share and added to File Sync with on-prem, however files/folder created directly on Storage Account does not sync to on-prem share. is this normal? is it possible to have a two-way sync? any advise is highly appreciated. thank you again.
Give it time, they should sync but it takes a while for the files to be seen by engine.
Hi John, very nice video
Could you please copy this script to join AzStorageAccount to AD here?
the code was all based on the MS KB article to set that up.
Can an Azure file share be a DFS target? I know azure file sync is an option but I was wondering if we could point the dfs link directly to the azure share.
I don’t see why not however if you use ad sites for proximity that wouldn’t work. I’d have to test that :)
Hey John, great vid. Can you post the link to the ps1 download in the comments so we know where the script is? Thanks
This is probably the best link for the code. docs.microsoft.com/en-us/azure/storage/files/storage-files-identity-ad-ds-enable. Good luck!
@@NTFAQGuy thank you so much, working on this tomorrow!
join-AzStorageAccountForAuth -ResourceGroupName "RG" -StorageAccountName "shares" -Domain "internaldomain" -OrganizationalUnitDistinguishedName "OU=AzureShare,DC=domain,DC=ca
@@cpgixxer If you want my script its on my repo at github.com/johnthebrit/RandomStuff/tree/master/AzureFilesADIntegration but that MS docs is the full command set and what I used to create my mini version.
@@NTFAQGuy I'm home free now, i ran it and it created the account in AD- thanks for all the help!
In relation to roles in IAM I understand that you need for example "Storage File Data SMB Share Contributor
" to manage NTFS permission but for normal user access that just read is normal "Contributor" is enough if he will not be editing permissions but creating new folders etc?
Iam for azure files are about the share access only, ntfs drives what you can do on actual file system
@@NTFAQGuy I understand but if the users don't need to right click on files and edit permission but just access then from what I understand they don't need to use this "Storage File Data SMB Share Contributor". This group is only required for admin and managers that do operation on file ? or actually they need to be in this group to be able to create and delete folders and file because in the end those are SMB operations ?
@@Rybek there are multiple share roles based on what the user needs at share level. Suggest you read the docs
When you use net use to connect to the share in this instance do you need to authenticate with your AD account or with the storage account key like you do natively?
Ad account. That is the whole point of this setup.
Just in case someone is trying it on general storage v2, it will not work on that. Use a general storage v1 storage account.
I used storage v2. It should work with v2, not sure what error you got. Please post.
Hi John, Is there an option I'm missing where we can authenticate to the share using SMB and just AAD. I.e we don't have AADDS or on-premises domain controllers. For example say I just have an AAD registered device (not domain joined) and a AAD User cloud only account. Could that user and device mount the share without needing to use the access keys?
not with file level acls. has to integrate with AD for file/folder ACLs.
@@NTFAQGuy Thanks John!
Hi John. Thanks for great video but can you clarify something for me please. If we are using File Sync Replication to azure and we want to use replicated enforced ACLS in azure from on premise (go serverless) in a scenario when on premise is not available do we need to replicate all groups that are in relation to ACLS to cloud (locally users are added to groups and base on that they have access to certain folders) or user accounts with password synchronisation is enough. Is this local computer account is needed if there is a password hash synchronisation enabled ? What we want to have is replication of local shares to cloud and be able to access those shares with same ACLS and not interrupted authentication to all subdirectories in DR scenario when On premise will not be available.
It has to access ad to enforce the acls. If on premises was not available you’ll need dcs somewhere the clients can get to for a token.
@@NTFAQGuy So ACLS are only enforced when on premise are available O_o ? I thought that they are replicated and when you have password hash replication for users that are synchronised with maybe group synchronisation so Azure AD would take control Authentication and Authorisation to shares and local AD is not taking any part. So i'm still depended on on premise if want to use same ACLS in short ? There is no way to do replica via Azure file sync and access without disruption mapping to cloud when on premise will be offlice with same ACLS working ?
@@Rybek put dcs in cloud and enable user access to them. It’s ad integrated auth, you need ad to give the token as I said.
@@NTFAQGuy Ok thanks all the info :)
@@NTFAQGuy I'm trying right now to map resource that was replicated to Azure File Shares (storage account) via Azure File Sync to a computer added to local ad with ACL enforcement from ADDS. I want to be able to map those resources with ACL enforcement but not rely on local on prem authentication. This is for DR scenario. I deployed Azure Active Directory Domain Services, enabled "Identity-based access for file shares", added synced users via Azure AD connect to Storage File Data SMB Share Contributor role. All security groups from local AD that are responsible for access to specific directories are also synced. Mapping is working with ACLs enforcement on computer added to ADDS but not working for a computer added to local AD. I suspect that this computer need to have access to ADDS subnet to utilise Kerberos and LDAP so I'm considering VPN to Azure. I guessing that subnet and vnet that computer will have allocated will also need to have route to ADDS subnet. Do I missing something ? If that will be enough ? I want to avoid rejoining computer from local on prem Active Directory to AADDS and I understand that I don't need to add Azure Storage account to on-prem because in this situation authentication will be done by local AD and in situation when it will be not available ACL enforcement will not work so we don't want this step in the process right ?
Nice video...question though. I set this up in a lab and despite all my efforts am getting an error "The password is invalid for \\file.core.windows.net\. I have triple checked settings, verified accounts have synced, run the diags, and all looks ok. But logging in to an AD computer with a user with RBAC roles and NTFS permissions set and trying to mount a drive to the share, I get this error. Any pointers?
And you have the used rbac on azure files as well right? Try passing username via net use as well.
John Savill I think RBAC changes take a while - after about an hour this magically started to work. The only thing I can attribute it to is something on the Azure backplane settling.