Using Azure File Shares with On-Prem ADDS Authentication and S2S VPN Tunnel

Nowadays, Azure Files supports identity based authentication over SMB through two kind of Domain Services. You can either use Azure Active Directory Domain Services (AADDS) or the old On-Prem Active Directory Domain Services that most of the environments already have. The setup is a bit different, depending on which authentication method you want to use. On this blog, we will go through on how to implement the On-Prem Active Directory Authentication, using Site-to-Site VPN tunnel, instead of going over public internet.

Using On-Prem AD DS Authentication, requires a Hybrid Identity. So you will need to synchronize your users to Azure AD, using Azure AD Connect. If you don’t have Hybrid Identity yet, follow the guide here.

Like in every new thing you are planning to setup, there are some prerequisites that we need to complete first. First of all, you need to have Azure Subscription. In the Azure subscription, you need to have Virtual Network, VPN Gateway, Local Network Gateway and of course, the storage account that will be used for the file share.

A topology chart illustrating the topology of an Azure VPN gateway connecting an Azure file share to an on-premises site using a S2S VPN


In this blog, we will use powershell to create the needed resources, so make sure you have installed the Azure Powershell modules. If not, you can install the modules with the following command and connect to Azure.

Create the needed Resource Group to host your resources.

Create a Storage Account to the newly created Resource Group with the preferred settings.

Create the File Share, in to your Storage Account.

After we have created the needed Resource Groups and Storage Accounts, we need to create a Virtual Network, where our VPN Gateway will be.

Create a subnet configuration.

Set the subnet, to the Virtual Network.

After the network and the subnet have been created, its time to create the Virtual Network Gateway and Gateway Subnet.

First we set a variable to the Virtual Network.

Create the Gateway Subnet.

Set the subnet configuration to the Virtual Network.

After the Gateway Subnet has been created, we will need an IP for the Virtual Network Gateway.

Request a public IP.

Create a Gateway configuration.

Last thing to do, is to create the VPN Gateway. The provisioning for VPN Gateway may take up to 1hr or more.

After creating a Virtual Network Gateway, you will need to create a Local Network Gateway. Fill in your On-Prem details.

Once you have created the Virtual Network Gateway and the Local Network Gateway, you can create a Connection between these two.

First set the variables.

And create the Connection with your own details.

Once you have everything you need, its time to make the Storage Account only accessible through the Site-to-Site VPN tunnel. There is two ways to do it. You can either create a Private Endpoint or a Service Endpoint. In this blog, we will use the Service Endpoint.

As the Storage Account connectivity method by default, is set as a Public Endpoint which allows access over the internet from all networks, we need to restrict the access to a selected Virtual Networks.

To restrict the access to the storage account’s public endpoint, we need to gather some information about the storage account and the virtual network to variables. Fill in your environment details.

We need to expose the Microsoft.Storage Service Endpoint to the Subnets, in order to allow the traffic through the Azure network fabric, towards the Public Endpoint of the Storage Account.

Last step in restricting traffic to the storage account is to create a networking rule and add to the storage account’s network rule set.

Now we have created all the needed resources to Azure, and its time to head over to your On-Prem AD DS Server. There are few ways to accomplish the AD DS authentication but on this blog, we will be using the AzFilesHybrid Powershell module.

Files AD workflow diagram

Download and unzip the AzFilesHybrid module from here.

Run Powershell as an Admin and navigate to the folder, where you unzipped the AzFilesHybrid module. Fill in your environment details.

Good thing to remember on this setup, is that the AD DS account created by the cmdlet represents the storage account. If the AD DS account is created under an organizational unit that enforces password expiration, you must update the password before the maximum password age.  You can update the password with the following command. Fill in your environment details.

After you have succesfully created the ComputerAccount or the ServiceLogonAccount, you can verify the configuration. Fill in your environment details.

If succesfull, the output should look similar to this.

Now that you have enabled the authentication through AD DS, we need to assign a Share-level permissions to the users. You can either do this through Powershell, or from the Azure portal. Fill in your environment details.

After the share-level permissions have been set, we need to set up the directory/file-level permissions.

First we need to mount the Azure File Share, to a domain joined computer/server. Fill in your environment details.

Note here: Now that we are connecting to the Storage Account Public Endpoint through a restricted network, you will need to route the traffic towards the *, through the Site-to-Site VPN tunnel in your On-Prem Firewall. Otherwise the Computer/Server will try to connect to the Public Endpoint over the Internet, which is not allowed in this configuration. You can also do the routing with some other method, but the traffic needs to be forwarded to the VPN Tunnel. If you are using a private endpoint, this configuration is not necessary.

You can assign the directory/file-level permissions with icacls for example.

After you have set all the needed permissions, you can start copying your files from On-Prem file shares, to Azure File Share.

If you have directories or files in on-premises file servers with Windows DACLs configured against the AD DS identities, you can copy it over to Azure Files persisting the ACLs with traditional file copy tools like Robocopy.

The AzFilesHybrid also provides tools for setting up the permissions, for example Move-OnPremSharePermissionsToAzureFileShare cmdlet to help migrate local share permissions to Azure RBAC’s built-in roles for files.

Author: Mikko Pantti

Leave a Reply

Your email address will not be published. Required fields are marked *