Skip to content

Commit 9c077ad

Browse files
authored
Merge pull request #113708 from yuemlu/master
Update Ad Doc
2 parents f66eb41 + cdd2992 commit 9c077ad

File tree

2 files changed

+6
-6
lines changed

2 files changed

+6
-6
lines changed

articles/storage/files/storage-files-identity-auth-active-directory-enable.md

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -5,7 +5,7 @@ author: roygara
55
ms.service: storage
66
ms.subservice: files
77
ms.topic: conceptual
8-
ms.date: 04/20/2020
8+
ms.date: 05/04/2020
99
ms.author: rogarana
1010
---
1111

@@ -90,7 +90,7 @@ The following diagram illustrates the end-to-end workflow for enabling Azure AD
9090
9191
## 1 Enable AD DS authentication for your account
9292

93-
To enable AD DS authentication over SMB for Azure file shares, you need to first register your storage account with AD DS and then set the required domain properties on the storage account. When the feature is enabled on the storage account, it applies to all new and existing file shares in the account. Use `join-AzStorageAccountForAuth` to enable the feature. You can find the detailed description of the end-to-end workflow in the script inside this section.
93+
To enable AD DS authentication over SMB for Azure file shares, you need to first register your storage account with AD DS and then set the required domain properties on the storage account. When the feature is enabled on the storage account, it applies to all new and existing file shares in the account. Download the AzFilesHybrid Powershell module and use `join-AzStorageAccountForAuth` to enable the feature. You can find the detailed description of the end-to-end workflow in the script inside this section.
9494

9595
> [!IMPORTANT]
9696
> The `Join-AzStorageAccountForAuth` cmdlet will make modifications to your AD environment. Read the following explanation to better understand what it is doing to ensure you have the proper permissions to execute the command and that the applied changes align with the compliance and security policies.
@@ -111,7 +111,7 @@ You can use the following script to perform the registration and enable the feat
111111
Remember to replace the placeholder values with your own in the parameters below before executing it in PowerShell.
112112
> [!IMPORTANT]
113113
> The domain join cmdlet will create an AD account to represent the storage account (file share) in AD. You can choose to register as a computer account or service logon account, see [FAQ](https://docs.microsoft.com/azure/storage/files/storage-files-faq#security-authentication-and-access-control) for details. For computer accounts, there is a default password expiration age set in AD at 30 days. Similarly, the service logon account may have a default password expiration age set on the AD domain or Organizational Unit (OU).
114-
> For both account types, we strongly recommend you to check what is the password expiration age configured in your AD environment and plan to [Update the password of your storage account identity in AD](#5-update-the-password-of-your-storage-account-identity-in-ad-ds) of the AD account below before the maximum password age. Failing to update AD account password will result in authentication failures when accessing Azure file shares. You can consider to [create a new AD Organizational Unit (OU) in AD](https://docs.microsoft.com/powershell/module/addsadministration/new-adorganizationalunit?view=win10-ps) and disable password expiration policy on [computer accounts](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj852252(v=ws.11)?redirectedfrom=MSDN) or service logon accounts accordingly.
114+
> For both account types, we strongly recommend you to check what is the password expiration age configured in your AD environment and plan to [Update the password of your storage account identity in AD](#5-update-the-password-of-your-storage-account-identity-in-ad-ds) of the AD account below before the maximum password age. You can consider to [create a new AD Organizational Unit (OU) in AD](https://docs.microsoft.com/powershell/module/addsadministration/new-adorganizationalunit?view=win10-ps) and disable password expiration policy on [computer accounts](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj852252(v=ws.11)?redirectedfrom=MSDN) or service logon accounts accordingly.
115115
116116
```PowerShell
117117
#Change the execution policy to unblock importing AzFilesHybrid.psm1 module
@@ -137,12 +137,12 @@ Select-AzSubscription -SubscriptionId $SubscriptionId
137137
# Register the target storage account with your active directory environment under the target OU (for example: specify the OU with Name as "UserAccounts" or DistinguishedName as "OU=UserAccounts,DC=CONTOSO,DC=COM").
138138
# You can use to this PowerShell cmdlet: Get-ADOrganizationalUnit to find the Name and DistinguishedName of your target OU. If you are using the OU Name, specify it with -OrganizationalUnitName as shown below. If you are using the OU DistinguishedName, you can set it with -OrganizationalUnitDistinguishedName. You can choose to provide one of the two names to specify the target OU.
139139
# You can choose to create the identity that represents the storage account as either a Service Logon Account or Computer Account, depends on the AD permission you have and preference.
140-
#You can run Get-Help Join-AzStorageAccountForAuth to find more details on this cmdlet.
140+
# You can run Get-Help Join-AzStorageAccountForAuth to find more details on this cmdlet.
141141
142142
Join-AzStorageAccountForAuth `
143143
-ResourceGroupName $ResourceGroupName `
144144
-Name $StorageAccountName `
145-
-DomainAccountType "<ComputerAccount|ServiceLogonAccount>" ` #Default set to "ComputerAccount"
145+
-DomainAccountType "<ComputerAccount|ServiceLogonAccount>" ` # Default set to "ComputerAccount" if this parameter is not provided
146146
-OrganizationalUnitName "<ou-name-here>" #You can also use -OrganizationalUnitDistinguishedName "<ou-distinguishedname-here>" instead. If you don't provide the OU name as an input parameter, the AD identity that represents the storage account will be created under the root directory.
147147
148148
#You can run the Debug-AzStorageAccountAuth cmdlet to conduct a set of basic checks on your AD configuration with the logged on AD user. This cmdlet is supported on AzFilesHybrid v0.1.2+ version. For more details on the checks performed in this cmdlet, go to Azure Files FAQ.

includes/storage-files-aad-permissions-and-mounting.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -23,7 +23,7 @@ We have introduced three Azure built-in roles for granting share-level permissio
2323
> [!IMPORTANT]
2424
> Full administrative control of a file share, including the ability to take ownership of a file, requires using the storage account key. Administrative control is not supported with Azure AD credentials.
2525
26-
You can use the Azure portal, PowerShell, or Azure CLI to assign the built-in roles to the Azure AD identity of a user for granting share-level permissions.
26+
You can use the Azure portal, PowerShell, or Azure CLI to assign the built-in roles to the Azure AD identity of a user for granting share-level permissions. Be aware that the share level RBAC role assignment can take some time to be in effect.
2727

2828
> [!NOTE]
2929
> Remember to [sync your AD DS credentials to Azure AD](../articles/active-directory/hybrid/how-to-connect-install-roadmap.md) if you plan to use your on-premises AD DS for authentication. Password hash sync from AD DS to Azure AD is optional. Share level permission will be granted to the Azure AD identity that is synced from your on-premises AD DS.

0 commit comments

Comments
 (0)