Merge pull request #224479 from khdownie/kendownie01192023

mounting file share to non domain joined VM

Author: v-dirichards

articles/storage/files/storage-files-identity-ad-ds-mount-file-share.md

@@ -5,13 +5,13 @@ author: khdownie
 ms.service: storage
 ms.subservice: files
 ms.topic: how-to
-ms.date: 11/09/2022
+ms.date: 01/24/2023
 ms.author: kendownie
 ms.custom: engagement-fy23
 recommendations: false
 ---
 
-# Mount a file share from a domain-joined VM
+# Mount an Azure file share
 
 Before you begin this article, make sure you've read [configure directory and file-level permissions over SMB](storage-files-identity-ad-ds-configure-permissions.md).
 
@@ -33,7 +33,7 @@ Before you can mount the Azure file share, make sure you've gone through the fol
 - If you're mounting the file share from a client that has previously connected to the file share using your storage account key, make sure that you've disconnected the share, removed the persistent credentials of the storage account key, and are currently using AD DS credentials for authentication. For instructions on how to remove cached credentials with storage account key and delete existing SMB connections before initializing new connection with Azure AD or AD credentials, follow the two-step process on the [FAQ page](./storage-files-faq.md#ad-ds--azure-ad-ds-authentication).
 - Your client must have line of sight to your AD DS. If your machine or VM is outside of the network managed by your AD DS, you'll need to enable VPN to reach AD DS for authentication.
 
-## Mount the file share
+## Mount the file share from a domain-joined VM
 
 Run the PowerShell script below or [use the Azure portal](storage-files-quick-create-use-windows.md#map-the-azure-file-share-to-a-windows-drive) to persistently mount the Azure file share and map it to drive Z: on Windows. If Z: is already in use, replace it with an available drive letter. The script will check to see if this storage account is accessible via TCP port 445, which is the port SMB uses. Remember to replace the placeholder values with your own values. For more information, see [Use an Azure file share with Windows](storage-how-to-use-files-windows.md).
 
@@ -49,8 +49,37 @@ if ($connectTestResult.TcpTestSucceeded) {
 }
 ```
 
+You can also use the `net-use` command from a Windows prompt to mount the file share. Remember to replace `<YourStorageAccountName>` and `<FileShareName>` with your own values.
+
+```
+net use Z: \\<YourStorageAccountName>.file.core.windows.net\<FileShareName>
+```
+
 If you run into issues mounting with AD DS credentials, refer to [Unable to mount Azure Files with AD credentials](storage-troubleshoot-windows-file-connection-problems.md#unable-to-mount-azure-files-with-ad-credentials) for guidance.
 
+## Mount the file share from a non-domain-joined VM
+
+Non-domain-joined VMs can access Azure file shares if they have line-of-sight to the domain controllers. The user accessing the file share must have an identity and credentials in the AD domain.
+
+To mount a file share from a non-domain-joined VM, the user must either:
+
+- Provide explicit credentials such as **DOMAINNAME\username** where **DOMAINNAME** is the AD domain and **username** is the identity’s user name, or
+- Use the notation **username@domainFQDN**, where **domainFQDN** is the fully qualified domain name.
+
+Using one of these approaches will allow the client to contact the domain controller to request and receive Kerberos tickets.
+
+For example:
+
+```
+net use Z: \\<YourStorageAccountName>.file.core.windows.net\<FileShareName> /user:<DOMAINNAME\username>
+```
+
+or
+
+```
+net use Z: \\<YourStorageAccountName>.file.core.windows.net\<FileShareName> /user:<username@domainFQDN>
+```
+
 ## Next steps
 
 If the identity you created in AD DS to represent the storage account is in a domain or OU that enforces password rotation, you might need to [update the password of your storage account identity in AD DS](storage-files-identity-ad-ds-update-password.md).

articles/storage/files/storage-files-identity-auth-active-directory-enable.md

@@ -47,7 +47,7 @@ To help you set up identity-based authentication for some common use cases, we p
 | [![Screencast of the replacing on-premises file servers video - click to play.](./media/storage-files-identity-auth-active-directory-enable/replace-on-prem-server-thumbnail.png)](https://www.youtube.com/watch?v=jd49W33DxkQ) | [![Screencast of the Using Azure Files as the profile container video - click to play.](./media/storage-files-identity-auth-active-directory-enable/files-ad-ds-fslogix-thumbnail.png)](https://www.youtube.com/watch?v=9S5A1IJqfOQ) |
 
 
-## Prerequisites 
+## Prerequisites
 
 Before you enable AD DS authentication for Azure file shares, make sure you've completed the following prerequisites: 
 
@@ -57,7 +57,7 @@ Before you enable AD DS authentication for Azure file shares, make sure you've c
 
 - Domain-join an on-premises machine or an Azure VM to on-premises AD DS. For information about how to domain-join, refer to [Join a Computer to a Domain](/windows-server/identity/ad-fs/deployment/join-a-computer-to-a-domain).
 
-    If a machine isn't domain joined, you can still use AD DS for authentication if the machine has line of sight to the on-premises AD domain controller and the user types in their AD credentials.
+    If a machine isn't domain joined, you can still use AD DS for authentication if the machine has line of sight to the on-premises AD domain controller and the user provides explicit credentials. For more information, see [Mount the file share from a non-domain-joined VM](storage-files-identity-ad-ds-mount-file-share.md#mount-the-file-share-from-a-non-domain-joined-vm).
 
 - Select or create an Azure storage account.  For optimal performance, we recommend that you deploy the storage account in the same region as the client from which you plan to access the share. Then, [mount the Azure file share](storage-how-to-use-files-windows.md) with your storage account key. Mounting with the storage account key verifies connectivity.
 

includes/storage-files-aad-permissions-and-mounting.md

@@ -5,7 +5,7 @@
  author: khdownie
  ms.service: storage
  ms.topic: include
- ms.date: 12/07/2022
+ ms.date: 01/24/2023
  ms.author: kendownie
  ms.custom: include file, devx-track-azurecli, devx-track-azurepowershell
 ---
@@ -144,8 +144,32 @@ if ($connectTestResult.TcpTestSucceeded) {
 }
 ```
 
+You can also use the `net-use` command from a Windows prompt to mount the file share. Remember to replace `<YourStorageAccountName>` and `<FileShareName>` with your own values.
+
+```
+net use Z: \\<YourStorageAccountName>.file.core.windows.net\<FileShareName>
+```
+
 ## Mount the file share from a non-domain-joined VM
 
 Non-domain-joined VMs can access Azure file shares using Azure AD DS authentication only if the VM has line-of-sight to the domain controllers for Azure AD DS, which are located in Azure. This usually requires setting up a site-to-site or point-to-site VPN to allow this connectivity. The user accessing the file share must have an identity and credentials (an Azure AD identity synced from Azure AD to Azure AD DS) in the Azure AD DS managed domain.
 
-When mounting the file share, the user must provide explicit credentials such as **DOMAINNAME\username** where DOMAINNAME is the Azure AD DS domain and username is the identity’s user name in Azure AD DS. This will help route Kerberos ticket requests from the client to the correct domain controller in the Azure AD DS domain.
+To mount a file share from a non-domain-joined VM, the user must either:
+
+- Provide explicit credentials such as **DOMAINNAME\username** where **DOMAINNAME** is the Azure AD DS domain and **username** is the identity’s user name in Azure AD DS, or
+- Use the notation **username@domainFQDN**, where **domainFQDN** is the fully qualified domain name.
+
+Using one of these approaches will allow the client to contact the domain controller in the Azure AD DS domain to request and receive Kerberos tickets.
+
+For example:
+
+```
+net use Z: \\<YourStorageAccountName>.file.core.windows.net\<FileShareName> /user:<DOMAINNAME\username>
+```
+
+or
+
+```
+net use Z: \\<YourStorageAccountName>.file.core.windows.net\<FileShareName> /user:<username@domainFQDN>
+```
+