Configuring access and authentication
Storage accounts can provide identity-based authentication through either Active Directory (on-premises) or Azure Active Directory Domain Services (AADDS). Both offer the ability to utilize Kerberos authentication offered by Active Directory. The join is limited to a single forest, whereas multiple forest connections will require the configuration of domain trusts.
For the file share to provide authentication capabilities, it will join the respective directory service as a computer account object. There are three primary permissions (authorization) on the SMB share that you should be cognizant of:
• Storage File Data SMB Share Reader: This permission grants read access to the SMB share files and directories.
• Storage File Data SMB Share Contributor: This grants read, write, list, and delete access to the SMB share files and directories.
• Storage File Data SMB Elevated Contributor: This grants contributor accessas well as the ability to assign permissions (modify Access Control Lists (ACLs)) to other SMB share files and directories.
In the following sections, we will investigate the steps involved in configuring Active Directory domain-joined Azure file shares and the allocation of permissions to these shares.
Configuring Azure AD authentication for a storage account
To authenticate through either directory service, several requirements are needed. The following diagram illustrates the requirements for an Active Directory integration:
Figure 7.20 – Azure AD authentication enablement process
We will now follow the process for configuring AD authentication on an Azure file share. In the section that follows this, we will explore configuring access to the file share and then mounting the file share. Finally, we will explore how to configure permissions on the share:
- Create an AD environment. You can run the following quick-start template, which will deploy an Active Directory server in Azure: https://azure.microsoft. com/en-gb/resources/templates/create-ad-forest-with-subdomain/.
- Set up Azure AD Connect and Sync AD with Azure AD.
- Deploy a test VM.
- Domain-join your VM to AD.
- Set up an Azure Storage account (limit the account name to 15 characters) and set up an Azure file share.
- Download the following module for configuring AADDS authentication: https://github.com/Azure-Samples/azure-files-samples/ releases/tag/v0.2.3.
- Enable AADDS authentication on the file share by running the following PowerShell script and change the domain name to what you configured on Active Directory. This must be run on an AD-joined machine. You can use the test VM:
Import-Module -name AZFilesHybrid;
Join-AzStorageAccountForAuth -ResourceGroupName “AZ104-Chapter7” -StorageAccountName “storagename01” -Domain “domainname.com” -OrganizationalUnitName “OU=AzureShares,OU=Az104_Resources,DC=domainname,DC=com”
Your Azure file share should now be joined to your on-premises AD domain.
Top Tip
Should you receive an error for updating any module, such as the PowerShellGet module, you can run the following command to force an update. The module name can be changed accordingly:
get-module | Where-Object{$_.name -like “PowerShellGet“} | Update-module
In the next section, we will explore assigning share-level and file-level permissions, as well as mounting an SMB share on a Windows machine.