You started your journey to a modern Windows workplace. Your (new) devices are Microsoft Entra joined and no longer joined to the on-premises Active Directory. However, some of your applications might still need a drive mapping to a file share on an on-prem server. This means your Entra joined devices still need a line of sight to your on-prem network, even when you’re working from a nice place under the sun. Fortunately, we can also host file shares on Azure storage and for some time we can configure Microsoft Entra Kerberos authentication for hybrid identities for these file shares.
Microsoft Entra Kerberos authentication
This configuration allows hybrid users to access Azure file shares using Kerberos authentication, using Microsoft Entra ID to issue the necessary Kerberos tickets to access the file share with the SMB protocol. This means your end users can access Azure file shares over the internet without requiring unimpeded network connectivity to domain controllers from Microsoft Entra hybrid joined and Microsoft Entra joined clients.
This sounds like an interesting solution when you still have some data left on on-premises file shares and want to move these to a cloud solution. Let’s look at the prerequisites and things we need to configure for this solution.
Requirements
Let’s start with the requirements for this solution, which can be found in detail on the Microsoft Learn site.
Of course, we need to have a storage account on Azure, these are the other requirements;
- Windows 10/11 Enterprise/ Pro
- Microsoft Entra joined or Microsoft Entra Hybrid joined
- Hybrid user identity (thus Microsoft Entra Connect or Microsoft Entra Connect cloud sync)
- Exclude on CA policy with MFA
Take note of the last listed requirement. Multi-factor Authentication is not supported for this solution (Azure storage accounts), thus we need to exclude this solution from our Conditional Access policy if these force MFA. But later more on that.
Create Storage account
I’m not going into full detail about setting up an Azure environment and Azure storage account, as the configuration you need might differ from my tenant.
Storage accounts can be created in the Azure portal.
Make the choices that fit your needs.
Enable Microsoft Entra Kerberos authentication for hybrid user accounts
The next step in our setup is to Enable Microsoft Entra Kerberos authentication for the file shares in the storage account.
On the Files shares tab (under Data storage) click on Not configured which is shown behind Identity-based access.
Click Setup under Microsoft Entra Kerberos.
Set a checkmark behind Microsoft Entra Kerberos and click Save.
When you want to configure directory and file level permissions through Windows Explorer, you also need to provide the Domain name and Domain GUID of the on-premises domain.
The Domain Name and Domain GUID can be found by running this PowerShell command on a domain server or client; Get-ADDomain | select DNSRoot,ObjectGUID
Grant admin consent to the new service principal
In the background, a Microsoft Application was registered in Microsoft Entra ID when we enabled Kerberos authentication. We need to explicitly grant admin consent to the new Microsoft Entra application, which is the next step in our setup.
Browse to App registrations in the Azure portal and to the All applications tab. Search for [storage and you will find the automatically created application. Select the application with the name matching [Storage Account] .file.core.windows.net.
On the Permissions tab click Grant admin consent for [domain name] to grant the requested API permissions. Click Yes for a confirmation.
Create a file share
We need to have at least one file share to store our files.
Browse to Azure Storage accounts, open your storage account, and on the File shares tab click +File share.
Configure the share to your own needs.
Assigning share-level permissions
We need to provide access to the file share, we can do that by adding a Role assignment to the file share. We have different default roles available with different permissions.
Open the previously created file share and browse to the tab Access control (IAM).
Click Add and select Add role assignment.
Search for data smb share to find the related roles. Select the role you want to assign and click Next.
We can assign the role directly to a user, but most likely you want to assign the role to a group. In my case, I used a synced AD group.
When the assignment is added, the storage account part is configured.
Configure Conditional Access policies (Optional)
As we can read in the documentation the Azure storage account can’t authenticate with both Microsoft Entra ID and a second method like AD DS or Microsoft Entra Domain Services.
This means we need to make sure no MFA is required for the previously created Microsoft Azure application.
If you for example require MFA for All cloud apps in a Conditional Access policy, you need to exclude the application from the CA policy.
As we can exclude the Azure Storage application, we can also include the application.
This means we can for example only allow access to the file share from Compliant devices.
Configuring Windows devices to retrieve Kerberos tickets
Everything is configured in Azure, but we also need to configure our Windows devices.
We need to configure our Windows clients to retrieve a Kerberos ticket at logon. We can deploy the setting for this with Microsoft Intune to our clients. Unfortunately, at the moment of writing this setting is not available in the Settings catalog, thus we need to use a Custom configuration profile. Information about the needed CSP can be found in the Microsoft docs.
For this configuration, we need to sign-in to the Intune portal.
- Browse to Devices, Windows, Configuration profile
- Click Create profile
- Select Windows 10 and later as Platform
- Select Templates as PRofile type
- Select Custom and click Create
Enter a Name and Description (optional) and click Next.
Click Add, to add an OMA-URI row.
Enter below information to the policy;
Name: CloudKerberosTicketRetrievalEnabled
OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Kerberos/CloudKerberosTicketRetrievalEnabled
Data Type: Integer
Value: 1
Assign this Intune profile to a group that holds your devices and we can start testing!
The end result
The end result is that we can browse via the UNC path to the file share located on our Azure storage.
And if needed we can also make a network drive mapping to the file share.
This can be done for example with the script I previously shared.
In case the user is signed in to a non-compliant device (and you require a compliant device to access the file share) the user can’t access the file share.
The user will see an error message like below. Unfortunately, not really an error message that describes the real issue (most likely because File Explorer doesn’t handle this very nicely).
If we have a look at the user sign-in logs, we see the Conditional Access policy is triggered.
And as we can see one of the devices was not compliant.
That’s it for this post. Thanks for reading!
Note; Azure file share uses the SMB protocol. SMB uses firewall port 445 which is blocked by some ISPs. Something to consider when implementing this solution.
1 Comment
The only problem with that solution , is that not every ISP let the port 445 open. At least over here in Canada. So when I tried to implement this solution, most of the users were not able to connect to the file share when at home because i445 was blocked at the ISP level…