Local Network Share with Azure AD Users

%3CLINGO-SUB%20id%3D%22lingo-sub-1584251%22%20slang%3D%22en-US%22%3ELocal%20Network%20Share%20with%20Azure%20AD%20Users%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1584251%22%20slang%3D%22en-US%22%3E%3CP%3EWe're%20a%20small%20business%20of%20about%2015%20people%2C%20and%20have%20just%20moved%20to%20Microsoft%20365%20for%20email%2C%20and%20with%20it%20has%20come%20AAD%20user%20management%20which%20makes%20my%20life%20simple.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20have%20some%20simple%20file%20shares%20that%20are%20managed%20with%20local%20accounts.%20I'd%20like%20to%20move%20to%20on-prem%20AD%20with%20AAD%20Connect%2C%20and%20then%20assign%20these%20AAD%20users%20(%22email%20accounts%22)%20to%20the%20various%20folders%20to%20handle%20permissions.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMy%20current%20understanding%20is%20that%20AAD%20cant%20do%20user%20write%20back%20to%20on-prem%2C%20at%20all%2C%20and%20doing%20password%20and%20group%20writeback%20to%20on-prem%20requires%20the%20'premium'%20tier%20of%20AAD%2C%20at%20%248%2Fuser%2Fmo%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20seems%20both%20very%20convoluted%20(I%20am%20doing%20up%20a%20PS%20script%20to%20pull%20users%20back%20from%20AAD)%20and%20also%20incredibly%20expensive%20to%20simple%20have%20AAD%20users%20assigned%20to%20on-prem%20file%20shares.%20I'm%20hoping%20occam's%20razor%20applies%20here%2C%20and%20I've%20missed%20something%20simple%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1584251%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAzure%20AD%20Connect%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1586289%22%20slang%3D%22en-US%22%3ERe%3A%20Local%20Network%20Share%20with%20Azure%20AD%20Users%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1586289%22%20slang%3D%22en-US%22%3EHello%20there%2C%3CBR%20%2F%3E%3CBR%20%2F%3EYou%20are%20right%20about%20the%20write-back%20feature%20of%20AAD%2C%20however%2C%20I%20do%20not%20see%20that%20it%20is%20required%20for%20your%20scenario%20if%20I%20have%20correctly%20understood.%3CBR%20%2F%3E%3CBR%20%2F%3Emoreover%2C%20I%20do%20not%20think%20that%20there's%20a%20reason%20to%20grant%20AAD%20users%20access%20to%20your%20local%20file%20shares%2C%20if%20you%20have%20already%20have%20your%20on-premises%20users%20synchronized%20to%20AAD%20using%20AAD%20Connect%2C%20you%20can%20simply%20keep%20access%20to%20local%20shares%20as%20it%20is%20configured%20for%20AD%20users.%3CBR%20%2F%3E%3CBR%20%2F%3Eawaiting%20your%20feedback%3CBR%20%2F%3ECharbel%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1586553%22%20slang%3D%22en-US%22%3ERe%3A%20Local%20Network%20Share%20with%20Azure%20AD%20Users%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1586553%22%20slang%3D%22en-US%22%3EHey%20Charbel%2C%3CBR%20%2F%3E%3CBR%20%2F%3EThanks%20for%20the%20reply.%3CBR%20%2F%3E%3CBR%20%2F%3EAfter%20an%20entire%20day%20of%20fiddling%20and%20messing%20around%20with%20ImmutableIDs%20and%20whatnot%2C%20I%20have%20managed%20to%20pull%20user%20accounts%20down%20from%20AAD%20to%20our%20on-prem%20AD!%20%3A)%3C%2Fimg%3E%3CBR%20%2F%3E%3CBR%20%2F%3EThe%20issue%20is%20user%20laptops%20are%20connected%20to%20AAD%20not%20on-prem%20AD%2C%20so%20if%20the%20user%20changes%20their%20password%2C%20they%20wont%20connect%2Fauthenticate%20with%20the%20on-prem%20file%20shares.%3CBR%20%2F%3E%3CBR%20%2F%3EWe%20can't%20justify%20%248%2Fser%2Fmo%2C%20so%20I%20guess%20i'm%20going%20to%20have%20to%20ask%20users%20nicely%20for%20their%20passwords%20haha.%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1587009%22%20slang%3D%22en-US%22%3ERe%3A%20Local%20Network%20Share%20with%20Azure%20AD%20Users%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1587009%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F567628%22%20target%3D%22_blank%22%3E%40andrewvinci%3C%2FA%3E%26nbsp%3Bit%20seems%20you%20are%20now%20using%20AAD%20as%20primary%20user%20repo%20and%20authentication%20engine%2C%20therefore%2C%20it%20might%20be%20easier%20to%20either%20ask%20for%20the%20passwords%2C%20or%20move%20the%20file%20shares%20to%20the%20cloud%20that%20would%20be%20the%20best%20solution%20but%20not%20the%20cheapest%20one%20%3A)%3C%2Fimg%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERegards%2C%3C%2FP%3E%3CP%3ECharbel%20Hanna%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1612495%22%20slang%3D%22en-US%22%3ERe%3A%20Local%20Network%20Share%20with%20Azure%20AD%20Users%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1612495%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F573584%22%20target%3D%22_blank%22%3E%40Charbelhanna%3C%2FA%3E%26nbsp%3BHello%20Charbel%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20for%20the%20reply.%20Actually%20moving%20files%20to%20the%20cloud%20is%20technically%20and%20functionally%20impossible%20for%20us.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20asked%20for%20some%20help%20on%20this%2C%20but%20i%20don't%20think%20there%20is%20a%20solution.%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fsharepoint%2Fsharing-a-shortcut-and-hyperlink-in-file-explorer%2Fm-p%2F1570970%23M43668%22%20target%3D%22_blank%22%3Ehttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fsharepoint%2Fsharing-a-shortcut-and-hyperlink-in-file-explorer%2Fm-p%2F1570970%23M43668%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20issue%20is%20a%20lot%20of%20our%20core%20files%20need%20sharable%20location%20paths.%20A%20simple%20example%20is%20a%20folder%20path%20for%20an%20excel%20macro.%20There%20is%20no%20way%20we%20can%20get%20a%20path%20for%20%3CSTRONG%3EUser%20A%3C%2FSTRONG%3E%20that%20is%20the%20same%20as%20%3CSTRONG%3EUser%20B%3C%2FSTRONG%3E.%20Unfortunately%20this%20is%20preventing%20our%20move%20to%20cloud%20folders.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20just%20resorted%20to%20asking%20users%20for%20passwords.%20It%20just%20looks%20incredibly%20unprofessional%20and%20people%20are%20wondering%20why%20Microsoft%20has%20such%20a%20half%20baked%20solution.%20I%20tell%20them%20it%20costs%20%2410%2Fuser%2Fmo%20to%20sync%20passwords%2C%20and%20now%20they%20just%20think%20Microsoft%20is%20stingy%20haha.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Contributor

We're a small business of about 15 people, and have just moved to Microsoft 365 for email, and with it has come AAD user management which makes my life simple.

 

We have some simple file shares that are managed with local accounts. I'd like to move to on-prem AD with AAD Connect, and then assign these AAD users ("email accounts") to the various folders to handle permissions.

 

My current understanding is that AAD cant do user write back to on-prem, at all, and doing password and group writeback to on-prem requires the 'premium' tier of AAD, at $8/user/mo?

 

This seems both very convoluted (I am doing up a PS script to pull users back from AAD) and also incredibly expensive to simple have AAD users assigned to on-prem file shares. I'm hoping occam's razor applies here, and I've missed something simple?

4 Replies
Hello there,

You are right about the write-back feature of AAD, however, I do not see that it is required for your scenario if I have correctly understood.

moreover, I do not think that there's a reason to grant AAD users access to your local file shares, if you have already have your on-premises users synchronized to AAD using AAD Connect, you can simply keep access to local shares as it is configured for AD users.

awaiting your feedback
Charbel
Hey Charbel,

Thanks for the reply.

After an entire day of fiddling and messing around with ImmutableIDs and whatnot, I have managed to pull user accounts down from AAD to our on-prem AD! :)

The issue is user laptops are connected to AAD not on-prem AD, so if the user changes their password, they wont connect/authenticate with the on-prem file shares.

We can't justify $8/ser/mo, so I guess i'm going to have to ask users nicely for their passwords haha.

@andrewvinci it seems you are now using AAD as primary user repo and authentication engine, therefore, it might be easier to either ask for the passwords, or move the file shares to the cloud that would be the best solution but not the cheapest one :) 

 

Regards,

Charbel Hanna

@Charbelhanna Hello Charbel,

 

Thanks for the reply. Actually moving files to the cloud is technically and functionally impossible for us.

 

I have asked for some help on this, but i don't think there is a solution. https://techcommunity.microsoft.com/t5/sharepoint/sharing-a-shortcut-and-hyperlink-in-file-explorer/...

 

The issue is a lot of our core files need sharable location paths. A simple example is a folder path for an excel macro. There is no way we can get a path for User A that is the same as User B. Unfortunately this is preventing our move to cloud folders.

 

I have just resorted to asking users for passwords. It just looks incredibly unprofessional and people are wondering why Microsoft has such a half baked solution. I tell them it costs $10/user/mo to sync passwords, and now they just think Microsoft is stingy haha.