You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/storage/files/storage-files-active-directory-overview.md
+4-2Lines changed: 4 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -41,6 +41,8 @@ If you're keeping your primary file storage on-premises, Azure Files is an ideal
41
41
42
42
Before you enable identity-based authentication on your storage account, you need to know what identity source you're going to use. It's likely that you already have one, as most companies and organizations have some type of domain environment configured. Consult your Active Directory (AD) or IT admin to be sure. If you don't already have an identity source, you'll need to configure one before you can enable identity-based authentication.
43
43
44
+
### Supported authentication scenarios
45
+
44
46
You can enable identity-based authentication over SMB using one of three identity sources: **On-premises Active Directory Domain Services (AD DS)**, **Microsoft Entra Domain Services**, or **Microsoft Entra Kerberos (hybrid identities only)**. You can only use one identity source for file access authentication per storage account, and it applies to all file shares in the account.
45
47
46
48
-**On-premises AD DS:** On-premises AD DS-joined or Microsoft Entra Domain Services-joined clients and virtual machines (VMs) can access Azure file shares with on-premises Active Directory credentials that are synched to Microsoft Entra ID over SMB. To use this method, your client must have unimpeded network connectivity to your AD DS.
@@ -49,15 +51,15 @@ You can enable identity-based authentication over SMB using one of three identit
49
51
50
52
-**Microsoft Entra Domain Services:** Cloud-based VMs that are joined to Microsoft Entra Domain Services can access Azure file shares with Microsoft Entra credentials. In this solution, Microsoft Entra ID runs a traditional Windows Server AD domain that is a child of the customer's Microsoft Entra tenant.
51
53
52
-
So which identity source do you choose?
54
+
Use the following guidelines to determine which identity source you should choose.
53
55
54
56
- If your organization already has an on-premises AD, and if the clients, VMs, and applications accessing file shares have unimpeded network connectivity to those domain controllers, choose AD DS.
55
57
56
58
- If some or all of the clients don't have unimpeded network connectivity to your AD DS, or if you're storing FSLogix profiles on Azure file shares for Microsoft Entra joined VMs, choose Microsoft Entra Kerberos.
57
59
58
60
- If you have an existing on-premises AD but are beginning your cloud journey and you want your identities to exist both on-premises and in the cloud, choose Microsoft Entra Kerberos.
59
61
60
-
- If you don't have an existing identity source, or if you need to authenticate cloud-only identities, choose Microsoft Entra Domain Services. If you don't already have a domain service deployed in Azure, you'll notice a new charge on your Azure bill for this option.
62
+
- If you don't have an existing identity source, or if you need to authenticate cloud-only identities, choose Microsoft Entra Domain Services. If you don't already have a domain service deployed in Azure, you'll notice a new charge on your Azure bill for this service.
0 commit comments