We are excited to announce General Availability of Azure Files integration with Azure Active Directory (Azure AD) Kerberos for hybrid identities. With this release, identities in Azure AD can mount and access Azure file shares without the need for line-of-sight to an Active Directory domain controller.
Until now, Azure Files supported identity-based authentication over Server Message Block (SMB) through two types of Domain Services: on-premises Active Directory Domain Services (AD DS) and Azure Active Directory Domain Services (Azure AD DS). On-premises AD DS requires clients to have line-of-sight to the domain controller, while Azure AD DS requires deploying domain services onto Azure AD and domain joining to Azure AD DS. Azure AD Kerberos is a new addition to these identity-based authentication methods. Azure AD Kerberos allows Azure AD to issue Kerberos service tickets over HTTPS for service applications in Azure AD. This removes the need to setup and manage another domain service, while also removing the line-of-sight requirement to the domain controller when authenticating with Azure Files. For this experience, the clients connecting to Azure Files need to be Azure AD-joined clients (or hybrid Azure AD-joined), and the user identities must be hybrid identities, managed in Active Directory. Hybrid identities require maintaining the AD Domain Controllers where the identities have originated from.
Here are examples of how you can leverage Azure AD Kerberos with Azure Files, based on your identity-based authentication needs:
Taking advantage of an existing Azure AD setup: If your organization has already adopted Azure AD, for example to use Office 365, you can now use the same identity-based authentication solution with Azure Files. No additional domain service management will be required.
Migrating from on-premises: If you have on-premises AD, and on-premises file servers, you can start your migration by syncing to Azure AD. You can then migrate your file servers to Azure Files and start leveraging cloud for file server scenarios. Once cloud-native identities are supported, you can take further steps to migrate to Azure AD fully.
Your organization requires keeping AD on-premises: Your organization, for example a financial institution, may have a policy to maintain on-premises AD, and managing identities on-premises. Assigning a default share-level permission for all authenticated users allows continuing to manage permissions through on-premises domain services, without needing to sync to Azure AD. Azure AD Kerberos with Azure Files supports default share-level permissions. Also, with this release, we added a simplified Azure Portal experience for default share-level permissions.
Enable and Configure Azure AD Kerberos for Azure Files: