Azure AD Domain Services and VPN use for Azure Files

Jared Brunk 1 Reputation point
2022-12-10T02:47:42.223+00:00

Hello,

My company has recently migrated most of our resources into the cloud. The last big hurdle is figuring out a solution for our file shares, which are too large for SharePoint and have years' worth of NTFS permissions that we don't want to go through and reassign. Our employees map the Azure file shares to their local PC for easy access. Since we'd like to move away from our on-premises AD, we considered Azure AD DS for managing these files. However, there seems to be a problem.

We have been connecting to some Azure-hosted virtual machines using Azure VPN client. This is great because it's very simple to use and allows us to easily connect to different virtual networks. Authentication is through Azure Active Directory. We always knew we couldn't use this to access our file shares, since they are in an Azure storage account and Azure AD doesn't provide a line of sight to the domain controller. We had used a RADIUS server via a Meraki MX device. This is a little more infrastructure than we are looking to hang onto.

I was hoping once we created a managed domain in Azure AD Domain Services that we would be able to use Azure Active Directory authentication to access the file shares. However, based on my research it seems that this is only possible to access these via an Azure AD DS domain-joined virtual machine. The problem is that our employees will no longer be able to just map the drive on their machines. Our PCs are managed through Intune btw. If this is the case, my thought was to join the shares to an Azure virtual desktop and give employees access to this.

Is there any other way to do this? I read the following from Microsoft: Non-domain-joined VMs can access Azure file shares using Azure AD DS authentication only if the VM has line-of-sight to the domain controllers for Azure AD DS. Usually this requires either site-to-site or point-to-site VPN.

Since a P2S VPN using AAD doesn't work, is RADIUS the only option that would work? I have read about using a certificate-based VPN but am not sure if that would work here. I would possibly be open to a site-to-site but would need more information on that. Does anyone know? I'd prefer not to have to connect to a Meraki or ASA-type device just to give file share access.

Any help is appreciated, please let me know if any of this is unclear.

Many thanks,

Jared

Azure VPN Gateway
Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,514 questions
Windows Server Migration
Windows Server Migration
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Migration: The process of making existing applications and data work on a different computer or operating system.
424 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,384 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Michal Wesolowski 1 Reputation point
    2022-12-21T09:52:30.39+00:00

    I am trying to achieve simillar although we are a small business so we don't even use on-prem AD. My understanding is that without on-prem AD everything is much harder. If you have on-prem AD then I would assume you can just use AD Connect to sync your AD with AAD and then just use the "Active Directory" authentication option on the file shares.

    The Fileshares have 3 different auth options (aside from access keys and shared access signatures):

    "Active Directory" - For when you have clients with line-of-sight domain controller (I think you need Azure AD Connect to achieve hybrid identities)
    "Azure Active Directory Domain Services - AFAIK this has only limited applications. I've read somehwere this is only for "lift and shift" of services to the cloud (which is what you are trying to do) but annoyingly they seem to only allow VMs to take advantage of this option. I have tried to make this work without VMs but rather using an AAD joined laptop with it being connected to the VNET using a P2S VPN but no luck so far. I'd appreciate some insight if anybody has any.
    "Azure Active Directory Kerberos" - This solution is for when you don't have line-of-sight domain controller but you do have on-prem AD with hybrid identities achieved using Azure AD.

    Hope this helps a little.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.