Step by step guide on computer account auth for Azure Files

Microsoft

Step by step guide on computer account auth for Azure Files

 

In the last 3 weeks, I have been getting a lot of questions around Azure Files. The main question has been “Can computer accounts have access Azure Files?”. This combined with my work on MSIX app attach (which also uses Azure Files) has prompted the creation of this post.

 

Prerequisites

 

Azure Files supports multiple authentication mechanisms. This article is focused on authenticating with

AD DS, as described here. Hence the prerequisites are:

  • AD DS synched to Azure AD
  • Permissions to create a Group in AD DS
  • Storage account or enough permissions to create one
  • VM or physical machine joined to AD DS, and permissions to access it
  • WVD host pool in which all session hosts have been domain joined

 

Process overview

 

1. Create AD DS security group.
2. Add the computer accounts for all session hosts as members of the group
3. Synch AD DS group to Azure AD
4. Create storage account
5. Create file share under the storage account
6. Join storage account to AD DS
7. Assign the AD DS group that has been synched to Azure AD, the Storage File Data SMB Share Contributor role assignment on the storage account
8. Mount file share on any session host
9. Grant NTFS permissions on the file share to the AD DS group

 

Create Group in AD DS

 

This group will be used in later steps to grant share level and (files share) permissions.

  1. Remote into the VM or physical machine joined to AD DS.
  2. Open the Active Directory Users and Computers utility.
  3. Under the domain node right click and select New, and then Group.

Note: it is not mandatory to create a new group, an existing group can be used.

  1. In the New Object – Group enter group name and select:
    1. Group scope: Global
    2. Group type: Security
  2. Right click on the new group and select Properties.
  3. In the properties screen select the Members tab.
  4. Click Add…
  5. In the Select Users, Contacts, Computers, Service Accounts, or Groups dialog click Object Types… and select Computers. Click OK.
  6. In the Enter the object names to select enter the names of all session hosts.
  7. Click Check Names and if multiple entries are present select the “correct” one from the results dialog.
  8. Press Ok and then Apply.

Note: If this is a new group it may take up to 1 hour to sync with Azure AD.

 

Create storage account

 

For brevity we will assume there is already a storage account with a file share. If required, please reference this article on how to create storage accounts. If you’re creating a new storage account, it is mandatory to create a file share.

Note: if you are creating a Premium storage account make sure Account Kind is set to FileStorage.

 

Share-level permission aka RBAC permission

 

  1. Select the desired storage account
  2. Click Access Control (IAM) and then Add. From the drop down select Add role assignments.
  3. In the Add role assignment screen:
    1. Role: Storage File Data SMB Share Contributor
    2. Assign access to: User, Group, or Service Principal
    3. Subscription: Based on your environment
    4. Select: pick the AD group that you created which contains your session hosts
  4. Click Save

 

Join storage account to AD DS

 

In this step we are going to join our storage account to AD DS. The full article is available here. Please note our steps here have been modified to achieve the desired scenario.

  1. Remote into the VM or physical machine joined to AD DS

Note: Run the script using an on-premises AD DS credential that is synced to your Azure AD. The on-premises AD DS credential must have either the storage account owner or the contributor Azure role permissions.

 

  1. Download and unzip the latest version on AzFilesHybrid from here.
  2. Open PowerShell in elevated mode.
  3. Run the following command to set the execution policy:
    Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Scope CurrentUser​
  4. Navigate to where AzfileHybrid was unzipped and run .\CopyToPSPath.ps1
  5. Import the AzFilesHybrid module via Import-Module -Name AzFilesHybrid
  6. Connect to Azure AD via Connect-AzAccount
  7. Set the following parameters according to your setup:
    $SubscriptionId = "<your-subscription-id-here>"
    $ResourceGroupName = "<resource-group-name-here>"
    $StorageAccountName = "<storage-account-name-here>"​
  1. Run Join-AzStorageAccountForAuth
    Join-AzStorageAccountForAuth `
    -ResourceGroupName $ResourceGroupName `
    -StorageAccountName $StorageAccountName `
    -DomainAccountType "ComputerAccount" `
    -OrganizationalUnitDistinguishedName "<ou-here>" `
    -EncryptionType "'RC4','AES256'"
  1. The output of the above command must look like the screenshot below. If it doesn’t, joining the storage account to AD DS was not successful.

psscreen.png

File-level permissions aka NTFS permissions

 

To be able to authenticate with AD DS computer accounts against an Azure Files storage account, we must also assign NTFS level permission in addition to the RBAC permission we set up earlier.

  1. Open the Azure portal and navigate to the storage account that we added to AD DS.
  2. Select Access keys and copy Key1

accesskey.png

  1. Remote into the VM or physical machine joined to AD DS.
  2. Open command prompt in elevated mode.
  3. Execute the following command replacing the values in it with those applicable to your environment:
    net use <desired-drive-letter>: \\<storage-account-name>.file.core.windows.net\<share-name> /user:Azure\<storage-account-name> <storage-account-key>​

Note: Make sure that the output of the command above is “The command completed successfully”.

 

If not, repeat and verify input.

  1. Open File Explorer and find the drive letter specified in the command above.
  2. Right click on the drive letter and select Properties and then Security.
  3. Click Edit and after that Add…

select.png

Note: Make sure that domain name matches your AD DS domain name, if it doesn’t the storage account has not been domain joined.

 

  1. If prompted, enter admin credentials.
  2. In the Select Users, Computers, Service Accounts, or Groups window enter the name of the group we created in the Create Group in AD DS section
  3. Click OK and confirm the group has Read & execute permissions.

permissions2.png

  1. Add the AD group with the computer accounts with Read & execute permissions.
  2. Click Apply and if prompted by Windows Security confirm by pressing Yes.

 

Troubleshooting

 

Common challenges with granting machine accounts access to Azure Files share authenticated with Azure AD are captured in the sections below.

 

Group membership

 

When a VM is added to an AD DS group that VM needs to be restarted in order to pick up its membership to the group.

 

Adding storage account to AD DS

 

The Azure Files team have excellent troubleshooting document available here. There are few errors that I have observed occurring with higher frequency:

 

  • Ignoring warnings when running the PowerShell
  • This will cause the account to be created but possibly with certain incorrect setting. This is where it is easier to delete the domain account representing the storage account and try again.
  • Incorrect OU specified
  • It is a best practice to specify an OU for your storage account. The way an OU is specified is using the standard syntax (DC=ouname,DC=domainprefix,DC=topleveldomain – for example DC=storageAccounts,DC=wvdcontoso,DC=com)
  • Storage account synch to Azure AD
  • It will take about 30 minutes for the storage account to synch to Azure AD.

 

Synching AD DS group to Azure AD

 

The synch interval between AD DS and Azure AD is 30 minutes by default. If the AD DS group was create in the last 30 minutes and cannot be assigned to the storage account, option 1 is to wait, option 2 is to force the AD DS -> Azure AD sync. Sample script, here.

 

RBAC permissions

 

For MSIX app attach and FSLogix the minimum RBAC permissions on the storage account are Storage File Data SMB Share Contributor.

 

NTFS permission

 

For MSIX app attach and FSLogix the minimum NTFS permissions on the storage account are Read & Execute, and List folder content.

12 Replies

Great article @Stefan Georgiev 

Anyone interested in seeing a video walking through this process check out The Azure Academy

video on Azure Files with AD Authentication

https://www.youtube.com/watch?v=9S5A1IJqfOQ

 

TheAzureAcademy #WindowsVirtualDesktop #FSLogix Learn how to use the new Azure Files with AD Authentication with FSLogix & Windows Virtual Desktop today at The Azure Academy Azure Files supports identity-based authentication over Server Message Block (SMB) through two types of Domain Services: ...
Nice video if I knew it was there I would have skipped on creating article

@Stefan Georgiev 

Have you gotten app attach to work on on azure file share with Azure ADDS? Despite having Azure AD DS enabled on the storage, and the session host's managed identity added to the file share SMB share contributor role and able to mount the file share successfully from the session host and have assign full access in the NTFS permissions for the the session host's account and users, getting an 'Error accessing virtual disk' when trying to enter the msix image path (see screenshot below). Any ideas?

 

appattch.jpg

JeremyWallace_0-1611959202549.png

JeremyWallace_1-1611959284542.png

JeremyWallace_2-1611959359513.png

 

An important point that is different from that video I referenced specifically for MSIX AppAttach is that you need the Computer objects to be granted permissions on the file share. I go over this in a lot more detail in my MSIX AppAttach video here - https://youtu.be/m0ifZg2WF5Q

As to the specific question on AADDS being compatible/supported with the portal MSIX AppAttach feature...I’ll let Stefan give the official response ☺️

@Dean Cefola 

Thanks Dean - found a response from Stefan and Tom Hickling on another forum post from earlier this month so I'm guessing its still not a workable scenario at this point.

JeremyWallace_0-1611966847948.png

 

@JeremyWallace I tried the SAS key approach and can't get that to work either. It would be nice if Stefan could give us actual steps.

@mobilejon  thanks for the suggestion. We will consider it. Two things to keep in mind we are working on something that may render the need for Azure AD DS obsolete and Azure AD DS has a very low adoption in enterprise (last time I checked less than 3%)

@Stefan Georgiev for our organization, the need for LDAP translation from cloud-only accounts is very important.

 

Do you have steps to actually make this work in AAD-DS that have been tested and actually work?

@JeremyWallace ,  were you able to find a solution for this issue?  We have same setup.  Cloud only users and AADDS.  Can't get MSIX app attach to work.  Have you tried a file share on an Azure VM?  Not sure what other options there might be.  Just looking for ideas.  Amazing how hard it's been to find info on this.  Usually they will tell you that Hybrid Auth is REQUIRED or something like that but they don't in the documentation.  Pretty frustrating.  Thanks for any ideas.

@Chrisvanaz I don't believe that MSIX App Attach is supported with Azure AD Domain Services at all today.  

I believe part of this limitation is that you don't have any rights in the AADDS Domain to assign NTFS permissions. 

I believe you are correct. I haven't been able to find anything that officially says that. I believe it's because you can't assign the RBAC permissions to the computer account. I can assign the NTFS permissions. We even tried assigning the computer managed ID the RBAC role but still doesn't work.

@Dean Cefola you are correct, we are adding this disclaimer to our documentation