Azure Files
An Azure service that offers file shares in the cloud.
1,209 questions
It cannot be done yet. GSA is still in Preview.
Deploy Azure Files share as a network drive to user's corporate machines
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(118.4, 96%, 21%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESG%3C/text%3E%3C/svg%3E)
Shawn Goodwin
156
Reputation points
We are trying to deploy an Azure Files SMB share to users' corporate machines and have that share mapped in their Windows Explorer. The intent is to emulate a traditional on-prem network "share drive". This is easier for on-prem and Hybrid organizations, but it's a bit more challenging for cloud-only organizations. We are 100% cloud-based in M365 and EntraID. I've been reading all the Microsoft docs I can find and trying to cobble together a plan. I cannot find an all-in-one resource for this use case. I'm still fuzzy on some details that I'm sure are implied in the docs, but I am missing. Here goes.
- We are M365/EntraID based, with a P2 tenant.
- We have an Azure tenant connected to our M365/EntraID tenant.
- Resource Group created, call it
corporate-storage-RG - Storage account created, call it
corporate-storage-SA - Azure File Share created, call it
test-file-share - Entra Domain Services created using the same domain as our company, call it
my-corp.com. This is our main domain. Creating the Entra Domain Services creates all the necessary Virtual Networks, public IP, security group, etc. - Azure File Share Identity Based Access configured as
Microsoft Entra Domain Services - VM created in
corporate-storage-RG, call itcorporate-storage-VM.
I'm having trouble joining the VM to the my-corp.com domain services created above. I'm getting an error when using my creds. The error says, "This device is joined to Azure AD. To join an Active Directory domain, you must first go to settings and choose to disconnect your device from your work or school." I go to Settings on the VM, but no work or school connections are shown. Here's my first question, how do I disconnect the VM from work or school? Should I use a different domain name than our main domain? Microsoft examples use aadcontoso vs contoso. I didn't see any direction to use a different name, so I'm asking. If I should use a different domain name, do I have to add that domain in M365 and a corresponding DNS record on our site?
I've read through the https://video2.skills-academy.com/en-us/azure/storage/files/storage-files-identity-auth-domain-services-enable?tabs=azure-portal multiple times, along with many other docs.
My understanding is that once I get the VM joined to the Azure domain, the VM will connect to the Azure File Share, and the users will access the shares through the VM. Do I have to add the EntraID groups to the Azure domain?
Are there any other gotchas I may be missing?
{count} votes
-
deherman-MSFT 34,841 Reputation points Microsoft Employee2024-06-06T17:36:59.5033333+00:00 @Shawn Goodwin We are investigating this and will get back to you.
-
Shawn Goodwin 156 Reputation points
2024-06-06T18:13:32.8566667+00:00 Thank you. I just got off the phone with Microsoft Support, but I'm just as confused as before. MS Support said I don't need Entra Domain Services because my org is already in M365. This does not sound right because all the docs I read call out Entra Domain Services. Then he changed his mind and said that I DO NEED Domain Services and our EntraID identities will be synced to Domain Services, but he couldn't tell me how they sync. Spoiler alert! Nothing is synced. Then he consulted with "his superiors" and came back and again said that Domain Services are NOT needed.
-
Shawn Goodwin 156 Reputation points
2024-06-06T18:45:48.5466667+00:00 I just found this article that looks to have been posted YESTERDAY!
https://charbelnemnom.com/secure-azure-file-shares-entra-private-access/#Installing_the_GSA_Client -
Sumarigo-MSFT 44,891 Reputation points Microsoft Employee2024-06-10T08:18:06.3333333+00:00 @Shawn Goodwin Apologies for the inconvenience caused!
Can you please share the case ID, I would like to work closer on this issue -
Shawn Goodwin 156 Reputation points
2024-06-10T20:57:49.3033333+00:00 @Sumarigo-MSFT , the case ID is 2406060040005874. I worked with a support agent who told me what I was trying to do was not possible. He said that only Azure VMs can connect to Azure File shares using Entra Authentication. Our "problem" is that we are 100% cloud-based. Seems as though many of the Entra tools and features are designed for hybrid environments making their move to the cloud.
I've gone down another path, using Entra Global Secure Access to provide authentication to Azure File Shares. I found this article which explains it clearly, https://charbelnemnom.com/secure-azure-file-shares-entra-private-access/. I've deployed this solution in Entra and Azure, and I'm one issue away from it working as designed. For some reason, the Global Secure Access agent on my -Entra joined- computer is throwing a
private access edge not reachableerror.Surprisingly, I get a SUCCESSFUL
test-netconnectionon port 445 without the vpn (which is exactly what the Global Secure Access tool is supposed to do).
If I can hit successfully hit the storage account file shares, what is causing my error? Do you have any tips for this configuration??
Sign in to comment
2 answers
Sort by: Most helpful
-
-
Sumarigo-MSFT 44,891 Reputation points Microsoft Employee
2024-07-01T06:19:14.75+00:00 @Shawn Goodwin Thanks for the update and and thank you for posting your solution so that others experiencing the same thing can easily reference this! Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others ", I'll repost your solution in case you'd like to "Accept " the answer.
Issue: Issue will be deploying Azure Files as network drives to corporate laptops using Entra ID authentication. They have followed the necessary steps to configure Azure Files for Entra ID authentication and have created the required resources such as a resource group, storage account, Azure File share, and a VM. However, they are unable to join the VM to the domain and are receiving an error message stating that the device is already joined to Azure AD. The customer is seeking assistance on how to disconnect the VM from Azure AD. Entra Domain Services authentication over SMB with Azure file shares is only supported on Azure VMs, not on corporate end-user laptops.
Solution: Presently this feature/functionality is not supported, GSA is still in Preview.
I would recommend to please subscribe to Azure updates (Customer can stay ahead with new features, maintain compliance, and manage their Azure resources optimally.) https://azure.microsoft.com/en-in/updates/. Once the feature is been released will keep you updated.
Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.