Azure Files Identity based authentication -Active Directory Domain Services (AAD DS)

Azure Active Directory Domain Services (AAD DS) is Microsoft's 'managed domain' service in Cloud.

Its is a full featured active directory domain services that support Kerberos based authentication which is similar to the AD that is available in on-premises.

Here Microsoft Azure will take care of all the management overhead of active directory domain including patching of domain controllers, replications between domain controllers and availability etc..

That means you wouldn't be using the repadmin or dcdiag commands anymore.

Coming to Azure Files it supports the integration with Azure active directory domain services if there isn't an onprem directory exist.

In this article we will briefly go through the steps to be followed for the integration of Azure Files with AAD DS identity based authentication and this article is not intended to cover the setup of AAD DS.

Steps to configure AAD DS based authentication on Azure storage is similar to ADDS which is explained in the previous blog

https://sjohnonline.blogspot.com/2021/02/azure-files-identity-based.html

Prerequisites

Select or create an Azure AD tenant.

Enable Azure AD Domain Services on the Azure AD tenant.

Domain-join an Azure VM with Azure AD DS.

Select or create an Azure file share.

Verify Azure Files connectivity by mounting Azure file shares using your storage account key.

Part one: enable AD DS authentication on your storage account

Once the AAD DS setup completed, enable AAD DS authentication in Azure storage account - storage account --> Configurations --> you would be able to enable Azure Active Directory Domain Services

Part two: assign access permissions for a share to the Azure AD identity (a user, group, or service principal) that is in sync with the target AD identity

· Storage File Data SMB Share Reader allows read access in Azure Storage file shares over SMB.

· Storage File Data SMB Share Contributor allows read, write, and delete access in Azure Storage file shares over SMB.

· Storage File Data SMB Share Elevated Contributor allows read, write, delete and modify NTFS permissions in Azure Storage file shares over SMB.

Part three: configure Windows ACLs over SMB for directories and files

Administrator with full access to the share can mount the share into a domain joined computer and set necessary NTFS permissions using the following.

Configure Windows ACLs with Windows File Explorer or icals

Ex: icacls <mounted-drive-letter>: /grant <user-email>:(f)

The following permissions are included on the root directory of a file share:

· BUILTIN\Administrators:(OI)(CI)(F)

· BUILTIN\Users:(RX)

· BUILTIN\Users:(OI)(CI)(IO)(GR,GE)

· NT AUTHORITY\Authenticated Users:(OI)(CI)(M)

· NT AUTHORITY\SYSTEM:(OI)(CI)(F)

· NT AUTHORITY\SYSTEM:(F)

· CREATOR OWNER:(OI)(CI)(IO)(F)

Note: Port 445 should be allowed in nsg/firewall rules

Similarly if you want to give read access to a group/users into Azure File Share assign them with the below role

Storage File Data SMB Share Reader allows read access in Azure Storage file shares over SMB.

Administrator can then configure NTFS permissions on the Mounted Share

Part four: mount an Azure file share to a VM joined to your AD DS

https://docs.microsoft.com/en-gb/azure/storage/files/storage-files-identity-ad-ds-mount-file-share

User can access the share by calling the share UNC path from run command box without entering the password.

User can also access the share by calling the share UNC path from file explorer without entering the password.

Most convenient way is to MAP the share as a drive into the file explorer as shown below.

Note: Ultimate access to the Shares will be based on the permissions applied from Azure file share IAM and more granular control applied on the windows ACL/ NTFS Permission to the subfolders and directories.

Tech Transformation: Insights into DevOps, Cloud Technologies, and Generative AI

Sunday, February 14, 2021

Azure Files Identity based authentication - Azure Active Directory Domain Services