Update storage-files-active-directory-overview.md

jamesmicrosoft · web-flow · commit ce352a509fcf · 2025-04-08T15:32:12.000-05:00
'For AD DS authentication, you must domain-join your client machines or VMs' under AD DS section is inaccurate. Second bullet point under Prerequisites section on https://learn.microsoft.com/en-us/azure/storage/files/storage-files-identity-ad-ds-overview#prerequisites provides a working method, 'If a machine isn't domain joined, you can still use AD DS for authentication if the machine has unimpeded network connectivity to the on-premises AD domain controller and the user provides explicit credentials. For more information, see Mount the file share from a non-domain-joined VM or a VM joined to a different AD domain. (https://learn.microsoft.com/en-us/azure/storage/files/storage-files-identity-mount-file-share#mount-the-file-share-from-a-non-domain-joined-vm-or-a-vm-joined-to-a-different-ad-domain)'
diff --git a/articles/storage/files/storage-files-active-directory-overview.md b/articles/storage/files/storage-files-active-directory-overview.md
@@ -83,7 +83,7 @@ Once you've chosen an identity source, you must enable it on your storage accoun
 
 ### AD DS
 
-For AD DS authentication, you must domain-join your client machines or VMs. You can host your AD domain controllers on Azure VMs or on-premises. Either way, your domain-joined clients must have unimpeded network connectivity to the domain controller, so they must be within the corporate network or virtual network (VNET) of your domain service.
+For AD DS authentication, you can host your AD domain controllers on Azure VMs or on-premises. Either way, your clients must have unimpeded network connectivity to the domain controller, so they must be within the corporate network or virtual network (VNET) of your domain service.
 
 The following diagram depicts on-premises AD DS authentication to Azure file shares over SMB. The on-premises AD DS must be synced to Microsoft Entra ID using Microsoft Entra Connect Sync or Microsoft Entra Connect cloud sync. Only [hybrid user identities](../../active-directory/hybrid/whatis-hybrid-identity.md) that exist in both on-premises AD DS and Microsoft Entra ID can be authenticated and authorized for Azure file share access. This is because the share-level permission is configured against the identity represented in Microsoft Entra ID, whereas the directory/file-level permission is enforced with that in AD DS. Make sure that you configure the permissions correctly against the same hybrid user.
 
