File share in Azure for Azure AD (ONLY!) joined PCs

Just signed in to say the same. Was hoping my Azure AD joined devices (laptops and remote workstations) could authenticate with an Azure file share. Surprising that not only are Azure AD joined devices not supported, but Azure AD users aren't either, unless they're synced via on-premises.

Microsoft really seems to be all over the shop here. On one hand they have these cloud-only features and services like Windows 11 multi-session, which can't be run on-premises, essentially handicapping any organisation trying to run an on-premises remote desktop server, but then those who are all-in on Azure then run into issues like Azure Files not being available. Microsoft doesn't seem to offer a single comprehensive solution. If I'm setting up a brand new domain/tenancy, how exactly does Microsoft suggest I operate, because it seems no matter what you do you're going to be missing out on functionality?

This is hard to believe that Azure Files still doesn't work with Azure AD Only Identities. I honestly think the Devs dropped the ball here.

Updating the thread: General Availability: Azure Active Directory Kerberos with Azure Files for hybrid identities

General Availability of Azure Files integration with Azure Active Directory (Azure AD) Kerberos for hybrid identities. With this release, identities in Azure AD can mount and access Azure file shares without the need for line-of-sight to an Active Directory domain controller.

This article focuses on enabling and configuring Azure Active Directory (Azure AD) for authenticating hybrid user identities, which are on-premises AD DS identities that are synced to Azure AD. Cloud-only identities aren't currently supported.

Any update on this topic I really miss the option to map file share to Azure AD joined device (no hybrid joined!) and have working file/folder level permissions same as it's now with SharePoint synced folders.

@Michał Gębala Welcome t Microsoft Q&A Forum, Thank you for posting your query here!

For better understanding the scenario: As I understand instead of Using AADDS or ADDS, you want to use Azure AD for the authorization right?

If so we are working on this feature(Azure Files AAD authentication is in Private Preview), we have it in our pipeline. presently I don't have any ETA now. Get the latest updates on Azure products and features to meet your cloud investment needs. Subscribe to notifications to stay informed through Azure updates

Currently there are only 2 ways to configure an Azure Files share:

• Active Directory Domain Services Overview | Microsoft Learn
o Requires machines to be joined to the on premises domain. Most cases they would be Azure hybrid join.
• Overview of Azure Active Directory Domain Services | Microsoft Learn
o Requires the machine to be joined to the Azure AD Domain Services domain.

If a machine (either VM or physical machine) is joined to Azure AD, they would not be able to use either of these methods.

Additional information:

Supported scenarios and restrictions:

• AD DS Identities used for Azure Files on-premises AD DS authentication must be synced to Azure AD or use a default share-level permission. Password hash synchronization is optional.
• Supports Azure file shares managed by Azure File Sync.
• Supports Kerberos authentication with AD with AES 256 encryption (recommended) and RC4-HMAC. AES 128 Kerberos encryption is not yet supported.
• Supports single sign-on experience.
• Only supported on clients running on OS versions newer than Windows 7 or Windows Server 2008 R2.
• Only supported against the AD forest that the storage account is registered to. You can only access Azure file shares with the AD DS credentials from a single forest by default. If you need to access your Azure file share from a different forest, make sure that you have the proper forest trust configured, see the FAQ for details.
• Does not support authentication against computer accounts created in AD DS.
• Does not support authentication against Network File System (NFS) file shares.
• When you enable AD DS for Azure file shares over SMB, your AD DS-joined machines can mount Azure file shares using your existing AD DS credentials. This capability can be enabled with an AD DS environment hosted either in on-prem machines or hosted in Azure.

We strongly recommend you to review the How it works section to select the right domain service for authentication. The setup is different depending on the domain service you choose. These series of articles focus on enabling and configuring on-premises AD DS for authentication with Azure file shares.

If you are new to Azure file shares, we recommend reading our planning guide before reading the following series of articles.

Please let us know if you have any further queries. I’m happy to assist you further.

----------

Please do not forget to and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.