Last August, Microsoft introduced several new security features to its Azure Files service. These included Active Directory Domain Service (AD DS) authentication support for Server Message Block access. Today, this capability is being expanded in the form of a preview for general Azure AD authentication for Azure Files.
Essentially, Files can now be mounted with the same access control experience with Azure AD as it is on-premise. Authentication for both the standard and premium tiers will be available, without any restriction in terms of limiting the feature to solely on-premise or on the cloud.
As mentioned last year, share-level permissions can be modified using role-based access control (RBAC). Meanwhile, directory- and file-level permissions can be enforced using NTFS discretionary access control lists (NTFS DACLs).
All major capabilities that have been introduced with this preview release have been described in the following way:
- Enable Active Directory (Active Directory/Domain Services) authentication for server message block (SMB) access. You can mount Azure Files from Active Directory domain-joined machines either on-premises or on Azure using Active Directory credentials. Azure Files supports using Active Directory as the directory service for identity-based access control experience for both premium and standard tiers. You can enable Active Directory authentication on self-managed or Azure Files Sync managed file shares.
- Enforce share level and directory or file level permission. The existing access control experience continues to be enforced for file shares enabled for Active Directory authentication. You can leverage RBAC for share-level permission management, then persist or configure directory or file level NTFS DACLs using Windows File Explorer and icacls tools.
- Support file migration from on-premises with ACL persistence over Azure File Sync. Azure File Sync now supports persisting ACLs on Azure Files in native NTFS DACL format. You can choose to use Azure File Sync for seamless migration from on-premises Windows file servers to Azure Files. Existing files and directories tiered to Azure Files through Azure Files Syncs have ACLs persisted in the native format.
Microsoft has aimed to allow the working of Files with AD without any change in client environments. A single sign-on experience is noted to be enough to allow access to file share on an AD domain-joined machine. The firm believes that through the help of AD authentication, Azure Files can prove to serve as the definitive storage solution for users utilizing Virtual Desktop Infrastructure (VDI). For more information on the feature, its documentation can be read in detail here.