We are excited to announce the preview of Azure Files Active Directory (AD) authentication. You can now mount your Azure Files using AD credentials with the exact same access control experience as on-premises. You may leverage an Active Directory domain service (AD DS) either hosted on-premises or on Azure for authenticating user access to Azure Files for both premium and standard tiers. Managing file permissions is also simple. As long as your Active Directory identities are synced to Azure AD, you can continue to manage the share level permission through standard role-based access control (RBAC). For directory and file level permission, you simply configure Windows ACLs (NTFS DACLs) using Windows File Explorer just like any regular file share. Most of you may have already synced on-premises Active Directory to Azure AD as part of Office 365 or Azure adoption and are ready to take advantage of this new capability today.
When you consider migrating file servers to the cloud, many may decide to keep the existing Active Directory infrastructure and move the data first. With this preview release, we made it seamless for Azure Files to work with existing Active Directory with no change in the client environment. You can log into an Active Directory domain-joined machine and access Azure file share with a single sign-on experience. In addition, you can carry over all existing NTFS DACLs that have been configured on the directories and files over the years and have them continue to be enforced as before. Simply migrate your files with ACLs using common tools like robust file copy (robocopy) or orchestrate tiering from on-premises Windows file servers to Azure Files with Azure File Sync. We have also released a video that walks through the end to end setup of replacing an on-premises server with Azure Files including AD authentication.
With AD authentication, Azure Files can better serve as the storage solution for Virtual Desktop Infrastructure (VDI) user profiles. Most commonly, you have set up the VDI environment with Windows Virtual Desktop as an extension of your on-premises workspace while continue to use Active Directory to manage the hosting environment. By using Azure Files as the user profile storage, when a user logs into the virtual session, only the profile of the authenticated user is loaded from Azure Files. You don’t need to set up a separate domain service for managing storage access control experience for your VDI environment. Azure Files provides you the most scalable, cost-efficient, and serverless file storage solution for hosting user profile data. To learn more about using Azure Files for Windows Virtual Desktop scenarios, refer to this article.
Below is a summary of the key capabilities introduced in the preview:
- Enable Active Directory (AD/AD DS) authentication for server message block (SMB) access. You can mount Azure Files from Active Directory domain-joined machines either on-premises or on Azure using Active Directory credentials. Azure Files supports using Active Directory as the directory service for identity-based access control experience for both premium and standard tiers. You can enable Active Directory authentication on self-managed or Azure Files Sync managed file shares.
- Enforce share level and directory or file level permission. The existing access control experience continues to be enforced for file shares enabled for Active Directory authentication. You can leverage RBAC for share-level permission management, then persist or configure directory or file level NTFS DACLs using Windows File Explorer and icacls tools.
- Support file migration from on-premises with ACL persistence over Azure File Sync. Azure File Sync now supports persisting ACLs on Azure Files in native NTFS DACL format. You can choose to use Azure File Sync for seamless migration from on-premises Windows file servers to Azure Files. Existing files and directories tiered to Azure Files through Azure Files Syncs have ACLs persisted in the native format.
Get started and share your experiences
You can create a file share in the preview supported regions and enable authentication with your Active Directory environment running on-premises or on Azure. Here are the documentation links to the detailed guidance on the feature capabilities and step to step enablement.
As always, you can share your feedback and experience over email at firstname.lastname@example.org. Post your ideas and suggestions about Azure Storage on our feedback forum.