Azure Files - Identity auth
Lab Objective
In this hands-on lab, you will learn how to:
- Understand Azure Files identity-based authentication using Azure AD
- Configure Azure Files for Active Directory integration with on-premises or cloud identities
- Set up share-level and file-level permissions using RBAC and NTFS ACLs
- Test identity-based access from domain-joined virtual machines
- Troubleshoot common authentication issues with Azure Files
- Implement secure file sharing for enterprise scenarios
Scenario: Your organization needs to migrate on-premises file shares to Azure Files while maintaining existing Active Directory-based access controls. Users should be able to access Azure Files using their domain credentials with appropriate permissions based on their group memberships.
Please sign in to launch lab.
Pre-Provisioned Environment
The following Azure resources have been pre-deployed in your environment:
Resource Overview
| Resource Type | Resource Name | Configuration | Purpose |
|---|---|---|---|
| Resource Group | AzureFiles-Lab-RG | Contains all lab resources | Logical container |
| Storage Account | azurefileslab[unique] | Premium FileStorage | Azure Files host |
| File Share | corporate-share | 100 GB quota | Primary file share |
| File Share | department-share | 50 GB quota | Department-specific share |
| Virtual Network | Corp-VNet | Address space: 10.0.0.0/16 | Corporate network |
| Domain Controller | DC01 | Windows Server 2019 | Active Directory services |
| Client VM | Client01 | Windows 11 Enterprise | Domain-joined client |
| Client VM | Client02 | Windows 11 Enterprise | Domain-joined client |
| Azure AD Connect | Pre-configured | Hybrid identity sync | Directory synchronization |
Active Directory Structure
Corporate Domain: corp.localβββ Domain Controller (DC01)βββ Organizational Unitsβ βββ Corporate Usersβ β βββ Alice Johnson (HR Manager)β β βββ Bob Smith (Finance Analyst)β β βββ Carol Davis (IT Administrator)β βββ Service Accountsβ βββ AzureFilesSyncβββ Security Groupsβ βββ HR-Users (Alice Johnson)β βββ Finance-Users (Bob Smith)β βββ IT-Admins (Carol Davis)β βββ All-Employees (All users)βββ Client Computers βββ Client01 (Domain-joined) βββ Client02 (Domain-joined)VM Details
| VM | Private IP | Operating System | Domain Status | Purpose |
|---|---|---|---|---|
| DC01 | 10.0.0.4 | Windows Server 2019 | Domain Controller | AD DS services |
| Client01 | 10.0.1.4 | Windows 11 Enterprise | Domain-joined | User testing |
| Client02 | 10.0.1.5 | Windows 11 Enterprise | Domain-joined | User testing |
Lab Exercises
Part 1: Examine Azure Files Configuration
Step 1: Navigate to Storage Account
- Navigate to AzureFiles-Lab-RG resource group
- Click on the Storage Account (azurefileslab[unique])
- In the left menu, click File shares
- Observe the pre-created shares:
corporate-sharedepartment-share
Step 2: Check Current Authentication Method
- Click on corporate-share
- In the left menu, click Configuration
- Examine current settings:
- Authentication method: Should show βStorage account keyβ initially
- Access tier: Premium or Standard
- Protocol: SMB 3.1.1
Step 3: Test Current Access Method
- In corporate-share, click Connect
- Copy the PowerShell command for mapping the drive
- Note: This uses storage account key authentication
Part 2: Configure Azure AD Authentication
Step 1: Enable Azure AD Authentication
- In the Storage Account, go to Configuration
- Under Azure Active Directory Domain Services, click Configure
- Enable Azure AD DS authentication:
- Select βEnable Azure Active Directory Domain Services (Azure AD DS) authenticationβ
- Note: This option enables cloud-only Azure AD authentication
Step 2: Configure On-Premises AD Integration
- Go to Configuration β Identity-based access
- Select authentication method:
- Choose βOn-premises Active Directory Domain Servicesβ
- This enables hybrid identity authentication
Step 3: Domain Join the Storage Account
From DC01, run PowerShell as Administrator:
# Install required PowerShell moduleInstall-Module -Name Az.Storage -ForceImport-Module Az.Storage
# Connect to Azure (if not already authenticated)Connect-AzAccount
# Set variables$resourceGroupName = "AzureFiles-Lab-RG"$storageAccountName = "azurefileslab[unique]"$domainName = "corp.local"$ouPath = "OU=Service Accounts,DC=corp,DC=local"
# Domain join the storage account$storageAccount = Get-AzStorageAccount -ResourceGroupName $resourceGroupName -Name $storageAccountName
# Configure AD authenticationSet-AzStorageAccount -ResourceGroupName $resourceGroupName ` -Name $storageAccountName ` -EnableActiveDirectoryDomainServicesForFile $true ` -ActiveDirectoryDomainName $domainName ` -ActiveDirectoryDomainGuid (Get-ADDomain).ObjectGUID ` -ActiveDirectoryDomainSid (Get-ADDomain).DomainSID ` -ActiveDirectoryAzureStorageSid (Get-ADUser AzureFilesSync).SID
Write-Host "Storage account domain join completed"Part 3: Configure Share-Level Permissions
Step 1: Set Up RBAC Roles
- Navigate to corporate-share
- Click Access Control (IAM)
- Add role assignments:
Assignment 1 - IT Administrators:
- Role: Storage File Data SMB Share Elevated Contributor
- Assign access to: User, group, or service principal
- Select: IT-Admins group
- Purpose: Full administrative access
Assignment 2 - HR Users:
- Role: Storage File Data SMB Share Contributor
- Select: HR-Users group
- Purpose: Read/write access to HR folders
Assignment 3 - Finance Users:
- Role: Storage File Data SMB Share Reader
- Select: Finance-Users group
- Purpose: Read-only access
Assignment 4 - All Employees:
- Role: Storage File Data SMB Share Reader
- Select: All-Employees group
- Purpose: Basic read access to common folders
Step 2: Configure Department Share Permissions
- Navigate to department-share
- Add role assignments:
Assignment 1:
- Role: Storage File Data SMB Share Contributor
- Select: HR-Users group
- Purpose: HR department full access
Assignment 2:
- Role: Storage File Data SMB Share Reader
- Select: Finance-Users group
- Purpose: Finance read access for reports
Part 4: Test Identity-Based Access
Step 1: Connect to Client01 as Alice Johnson (HR Manager)
- Navigate to Client01
- Click Connect β RDP
- Login as domain user:
- Username:
corp\alice.johnson - Password:
LabPassword123!
- Username:
Step 2: Mount Azure File Share
From Client01, open Command Prompt and run:
# Map corporate share using identity authenticationnet use Z: \\azurefileslab[unique].file.core.windows.net\corporate-share
# Check if mapping succeedednet use
# Navigate to the sharedir Z:\Expected Result: Share should map successfully using Aliceβs domain credentials
Step 3: Test File Operations as HR Manager
# Create HR folder structuremkdir Z:\HR-Documentsmkdir Z:\HR-Documents\Policiesmkdir Z:\HR-Documents\Employee-Records
# Create test filesecho "HR Policy Document" > Z:\HR-Documents\Policies\hr-policy.txtecho "Employee Record Sample" > Z:\HR-Documents\Employee-Records\sample.txt
# List created contentdir Z:\HR-Documents /sStep 4: Test Department Share Access
# Map department sharenet use Y: \\azurefileslab[unique].file.core.windows.net\department-share
# Create HR-specific contentmkdir Y:\HR-Departmentecho "HR Department File" > Y:\HR-Department\department-info.txt
# Verify accessdir Y:\HR-DepartmentPart 5: Test Different User Permissions
Step 1: Connect as Bob Smith (Finance Analyst)
- Disconnect from Client01 or use Client02
- Login as:
- Username:
corp\bob.smith - Password:
LabPassword123!
- Username:
Step 2: Test Finance User Access
From Client02, open Command Prompt:
# Map corporate share as Finance usernet use Z: \\azurefileslab[unique].file.core.windows.net\corporate-share
# Try to access HR documents (should have read access only)dir Z:\HR-Documents
# Try to create Finance foldermkdir Z:\Finance-Reports
# Try to create files in Finance folderecho "Finance Report Q3" > Z:\Finance-Reports\q3-report.txt
# Test read access to department sharenet use Y: \\azurefileslab[unique].file.core.windows.net\department-sharedir Y:\Expected Results:
- Corporate Share: Read access only (cannot create/modify HR files)
- Department Share: Read access only
- Own Finance folder: May be able to create if NTFS permissions allow
Step 3: Test Access Restrictions
# Try to delete HR files (should fail)del Z:\HR-Documents\Policies\hr-policy.txt
# Try to modify HR files (should fail)echo "Modified by Finance" >> Z:\HR-Documents\Policies\hr-policy.txt
# Check error messagesecho %ERRORLEVEL%Part 6: Configure File-Level NTFS Permissions
Step 1: Connect as IT Administrator
- Login to Client01 as:
- Username:
corp\carol.davis - Password:
LabPassword123!
- Username:
Step 2: Set NTFS Permissions
From Client01 PowerShell as IT Admin:
# Map share with elevated permissionsnet use Z: \\azurefileslab[unique].file.core.windows.net\corporate-share
# Set NTFS permissions for HR foldericacls Z:\HR-Documents /grant "corp\HR-Users:(OI)(CI)F" /Ticacls Z:\HR-Documents /grant "corp\Finance-Users:(OI)(CI)R" /Ticacls Z:\HR-Documents /remove "corp\All-Employees" /T
# Create Finance folder with appropriate permissionsmkdir Z:\Finance-Reportsicacls Z:\Finance-Reports /grant "corp\Finance-Users:(OI)(CI)F" /Ticacls Z:\Finance-Reports /grant "corp\HR-Users:(OI)(CI)R" /T
# Set common area permissionsmkdir Z:\Commonicacls Z:\Common /grant "corp\All-Employees:(OI)(CI)M" /T
# Verify permissionsicacls Z:\HR-Documentsicacls Z:\Finance-Reportsicacls Z:\CommonStep 3: Test Granular Permissions
Switch back to Bob Smith (Finance):
# Test Finance folder access (should have full control now)echo "Finance data" > Z:\Finance-Reports\test.txtmkdir Z:\Finance-Reports\Quarterly
# Test HR folder access (should be read-only)type Z:\HR-Documents\Policies\hr-policy.txtecho "Finance comment" > Z:\HR-Documents\finance-comment.txt
# Test Common area (should have modify access)echo "Shared document" > Z:\Common\shared.txtPart 7: Monitor and Troubleshoot Access
Step 1: Enable Storage Analytics
- In Storage Account, go to Monitoring β Diagnostic settings
- Add diagnostic setting:
| Setting | Value | Purpose |
|---|---|---|
| Name | AzureFiles-Diagnostics | Configuration name |
| File | Checked | Enable file service logging |
| StorageRead | Checked | Log read operations |
| StorageWrite | Checked | Log write operations |
| StorageDelete | Checked | Log delete operations |
- Destination: Choose Log Analytics workspace
Step 2: Test Access Logging
Generate various access patterns:
# Successful operationsdir Z:\type Z:\Common\shared.txt
# Failed operations (wrong user)del Z:\HR-Documents\Policies\hr-policy.txtmkdir Z:\Restricted-AreaStep 3: Query Access Logs
In Log Analytics, run queries:
// View file access patternsStorageFileLogs| where TimeGenerated > ago(1h)| where AccountName == "azurefileslab[unique]"| project TimeGenerated, AuthenticationType, AuthenticationHash, CallerIpAddress, Uri, StatusCode, StatusText| order by TimeGenerated desc
// Failed authentication attemptsStorageFileLogs| where TimeGenerated > ago(1h)| where StatusCode == 403| project TimeGenerated, CallerIpAddress, Uri, StatusText| order by TimeGenerated descPart 8: Advanced Configuration
Step 1: Configure Azure AD Connect (Pre-configured)
Verify synchronization status:
From DC01 PowerShell:
# Check Azure AD Connect statusImport-Module ADSyncGet-ADSyncScheduler
# Force synchronization if neededStart-ADSyncSyncCycle -PolicyType Delta
# Verify users are synchronized to Azure ADGet-AzureADUser -Filter "userPrincipalName eq 'alice.johnson@corp.local'"Step 2: Configure Kerberos Authentication
Enable Kerberos for enhanced security:
# Configure Kerberos authentication on storage accountSet-AzStorageAccount -ResourceGroupName "AzureFiles-Lab-RG" ` -Name "azurefileslab[unique]" ` -EnableKerberosTicketEncryption $true
# Test Kerberos authenticationklist ticketsStep 3: Setup File Sync (Optional)
Configure Azure File Sync for hybrid scenarios:
- Install Azure File Sync agent on DC01
- Register server with Storage Sync Service
- Create sync group for bidirectional sync
- Configure cloud tiering for storage optimization
Troubleshooting Guide
Common Azure Files Identity Issues
| Issue | Symptoms | Possible Cause | Solution |
|---|---|---|---|
| Access denied | 403 errors when mounting | Incorrect RBAC permissions | Check share-level role assignments |
| Authentication failures | Cannot mount with domain credentials | AD integration not configured | Verify domain join and AD authentication |
| Permission errors | Can mount but cannot access files | NTFS permissions restrictive | Adjust file-level permissions with icacls |
| Slow performance | File operations are slow | Network or authentication latency | Check network connectivity and Kerberos config |
| Sync issues | Azure AD users not recognized | Azure AD Connect problems | Verify directory synchronization |
Permission Troubleshooting
| Permission Level | Scope | Configuration Location | Test Method |
|---|---|---|---|
| Share-level | Entire file share | Azure Portal IAM | Mount share attempt |
| File-level | Individual files/folders | NTFS permissions (icacls) | File operation attempt |
| Azure AD | User/group identity | Azure AD portal | User authentication |
| On-premises AD | Domain authentication | Domain controller | Domain login |
Additional Experiments
Try these optional exercises to deepen your understanding:
- Multi-forest scenarios: Configure trust relationships for complex AD environments
- Hybrid identity: Test with Azure AD-only users vs synchronized users
- Performance optimization: Configure SMB multichannel and optimize network settings
- Backup integration: Set up Azure Backup for Azure Files
- Cross-platform access: Test Linux client access to Azure Files with identity
Key Takeaways
After completing this lab, you should understand:
- Azure Files supports identity-based authentication using on-premises AD or Azure AD
- Share-level permissions are managed through Azure RBAC roles
- File-level permissions use traditional NTFS ACLs for granular control
- Domain joining storage accounts enables seamless integration with existing AD infrastructure
- Azure AD Connect synchronizes on-premises identities to the cloud
- Monitoring and logging are essential for troubleshooting access issues
- Hybrid scenarios combine cloud and on-premises identity management
Azure Files Authentication Methods
Authentication Comparison
| Method | Use Case | Complexity | Security | Best For |
|---|---|---|---|---|
| Storage Account Key | Simple scenarios | Low | Medium | Development/testing |
| Azure AD DS | Cloud-only environments | Medium | High | Cloud-native organizations |
| On-premises AD | Hybrid environments | High | High | Traditional enterprises |
| Azure AD (Kerberos) | Modern hybrid | Medium | Highest | Modern enterprises |
Permission Model
Azure Files Permission Hierarchyβββ Share-level (Azure RBAC)β βββ Storage File Data SMB Share Readerβ βββ Storage File Data SMB Share Contributorβ βββ Storage File Data SMB Share Elevated Contributorβββ File-level (NTFS ACLs) βββ Full Control (F) βββ Modify (M) βββ Read & Execute (RX) βββ Read (R) βββ Write (W)Migration Best Practices
Pre-Migration Planning
- Assess current file share structure and permissions
- Identify user groups and access patterns
- Plan Azure AD integration strategy
- Design folder structure for optimal performance
Migration Process
- Set up Azure AD Connect for identity synchronization
- Configure Azure Files with appropriate authentication method
- Create file shares with initial folder structure
- Configure share-level permissions using Azure RBAC
- Migrate data using AzCopy or Azure File Sync
- Set file-level permissions using NTFS ACLs
- Test user access from different clients
- Monitor and optimize performance post-migration