You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/storage/files/storage-files-identity-ad-ds-update-password.md
+23-18Lines changed: 23 additions & 18 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,6 +1,6 @@
1
1
---
2
2
title: Update password for an AD DS storage account identity
3
-
description: Learn how to update the password of the Active Directory Domain Services (AD DS) identity that represents your storage account. This prevents authentication failures and keeps the storage account from being deleted when the password expires.
3
+
description: Learn how to update the password of the Active Directory Domain Services (AD DS) identity that represents your storage account.
4
4
author: khdownie
5
5
ms.service: azure-file-storage
6
6
ms.topic: how-to
@@ -10,27 +10,32 @@ recommendations: false
10
10
---
11
11
12
12
# Update the password of your storage account identity in AD DS
13
+
When you domain join your storage account in your Active Directory Domain Services (AD DS), you create an AD principal, either a computer account or service account, with a password. The password of the AD principal is one of the Kerberos keys of the storage account. Depending on the password policy of the organization unit of the AD principal, you must periodically rotate the password of the AD principal to avoid authentication issues. Failing to change the password before it expires could result in losing Kerberos authentication to your Azure file shares. Some AD environments may also delete AD principals with expired passwords using an automated cleanup script.
13
14
14
-
If you registered the Active Directory Domain Services (AD DS) identity/account that represents your storage account in an organizational unit or domain that enforces password expiration time, you must change the password before the maximum password age. Your organization may run automated cleanup scripts that delete accounts once their password expires. Because of this, if you don't change your password before it expires, your account could be deleted, which will cause you to lose access to your Azure file shares.
15
-
16
-
To prevent unintended password rotation, during the onboarding of the Azure storage account in the domain, make sure to place the Azure storage account into a separate organizational unit in AD DS. Disable Group Policy inheritance on this organizational unit to prevent default domain policies or specific password policies from being applied.
17
-
18
-
> [!NOTE]
19
-
> A storage account identity in AD DS can be either a service account or a computer account. Service account passwords can expire in Active Directory (AD); however, because computer account password changes are driven by the client machine and not AD, they don't expire in AD.
15
+
Instead of periodically rotating the password, you can also place the AD principal that represents the storage account into an organizational unit that doesn't require password rotation.
20
16
21
17
There are two options for triggering password rotation. You can use the `AzFilesHybrid` module or Active Directory PowerShell. Use one method, not both.
22
18
23
19
## Applies to
24
-
25
-
| File share type | SMB | NFS |
26
-
|-|:-:|:-:|
27
-
| Standard file shares (GPv2), LRS/ZRS |||
28
-
| Standard file shares (GPv2), GRS/GZRS |||
To regenerate and rotate the password of the AD principal that represents the storage account, use the `Update-AzStorageAccountADObjectPassword` cmdlet from the [AzFilesHybrid module](https://github.com/Azure-Samples/azure-files-samples/releases). To execute `Update-AzStorageAccountADObjectPassword`, you must:
32
35
33
-
You can run the `Update-AzStorageAccountADObjectPassword` cmdlet from the [AzFilesHybrid module](https://github.com/Azure-Samples/azure-files-samples/releases). You must run this command in an on-premises AD DS-joined environment by a [hybrid identity](../../active-directory/hybrid/whatis-hybrid-identity.md) with owner permission to the storage account and AD DS permissions to change the password of the identity representing the storage account. The command performs actions similar to storage account key rotation. Specifically, it gets the second Kerberos key of the storage account and uses it to update the password of the registered account in AD DS. Then it regenerates the target Kerberos key of the storage account and updates the password of the registered account in AD DS.
36
+
- Run the cmdlet from a domain joined client.
37
+
- Have the owner permission on the storage account.
38
+
- Have AD DS permissions to change the password of the AD principal that represents the storage account.
34
39
35
40
```PowerShell
36
41
# Update the password of the AD DS account registered for the storage account
This action will change the password for the AD object from kerb1 to kerb2. This is intended to be a two-stage process: rotate from kerb1 to kerb2 (kerb2 will be regenerated on the storage account before being set), wait several hours, and then rotate back to kerb1 (this cmdlet will likewise regenerate kerb1).
49
+
After you rotate to kerb2, we recommend waiting several hours and using `Update-AzStorageAccountADObjectPassword` cmdlet again regenerate and rotate back to kerb1, such that both Kerberos keys are regenerated.
45
50
46
51
## Option 2: Use Active Directory PowerShell
47
52
48
53
If you don't want to download the `AzFilesHybrid` module, you can use [Active Directory PowerShell](/powershell/module/activedirectory).
49
54
50
55
> [!IMPORTANT]
51
-
> The Windows Server Active Directory PowerShell cmdlets in this section must be run in Windows PowerShell 5.1 with elevated privileges. PowerShell 7.x and Azure Cloud Shell won't work in this scenario.
56
+
> The Windows Server Active Directory PowerShell cmdlets in this section must be run in Windows PowerShell 5.1 with elevated privileges.
52
57
53
-
Replace `<domain-object-identity>` in the following script with your value, then run the script to update your domain object password:
58
+
Replace `<domain-object-identity>` in the following script with the appropriate value for your environment:
54
59
55
60
```powershell
56
61
$KeyName = "kerb1" # Could be either the first or second kerberos key, this script assumes we're refreshing the first
Copy file name to clipboardExpand all lines: articles/storage/files/storage-files-identity-assign-share-level-permissions.md
+12-6Lines changed: 12 additions & 6 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -19,12 +19,18 @@ Once you've enabled an Active Directory (AD) source for your storage account, yo
19
19
> Full administrative control of a file share, including the ability to take ownership of a file, requires using the storage account key. Full administrative control isn't supported with identity-based authentication.
20
20
21
21
## Applies to
22
-
23
-
| File share type | SMB | NFS |
24
-
|-|:-:|:-:|
25
-
| Standard file shares (GPv2), LRS/ZRS |||
26
-
| Standard file shares (GPv2), GRS/GZRS |||
Copy file name to clipboardExpand all lines: articles/storage/files/storage-files-identity-auth-domain-services-enable.md
+13-7Lines changed: 13 additions & 7 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -26,12 +26,18 @@ If you're new to Azure Files, we recommend reading our [planning guide](storage-
26
26
> Azure Files supports authentication for Microsoft Entra Domain Services with full or partial (scoped) synchronization with Microsoft Entra ID. For environments with scoped synchronization present, administrators should be aware that Azure Files only honors Azure RBAC role assignments granted to principals that are synchronized. Role assignments granted to identities not synchronized from Microsoft Entra ID to Microsoft Entra Domain Services will be ignored by the Azure Files service.
27
27
28
28
## Applies to
29
-
30
-
| File share type | SMB | NFS |
31
-
|-|:-:|:-:|
32
-
| Standard file shares (GPv2), LRS/ZRS |||
33
-
| Standard file shares (GPv2), GRS/GZRS |||
@@ -152,7 +158,7 @@ The action requires running an operation on the Active Directory domain that's m
152
158
> [!IMPORTANT]
153
159
> The Windows Server Active Directory PowerShell cmdlets in this section must be run in Windows PowerShell 5.1 from a client machine that's domain-joined to the Microsoft Entra Domain Services domain. PowerShell 7.x and Azure Cloud Shell won't work in this scenario.
154
160
155
-
Log into the domain-joined client machine as a Microsoft Entra Domain Services user with the required permissions. You must have write access to the `msDS-SupportedEncryptionTypes` attribute of the domain object. Typically, members of the **AAD DC Administrators** group will have the necessary permissions. Open a normal (non-elevated) PowerShell session and execute the following commands.
161
+
Log in to the domain-joined client machine as a Microsoft Entra Domain Services user with the required permissions. You must have write access to the `msDS-SupportedEncryptionTypes` attribute of the domain object. Typically, members of the **AAD DC Administrators** group will have the necessary permissions. Open a normal (non-elevated) PowerShell session and execute the following commands.
156
162
157
163
```powershell
158
164
# 1. Find the service account in your managed domain that represents the storage account.
Copy file name to clipboardExpand all lines: articles/storage/files/storage-files-identity-auth-hybrid-cloud-trust.md
+12-6Lines changed: 12 additions & 6 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -18,12 +18,18 @@ In such scenarios, customers can enable Microsoft Entra Kerberos authentication
18
18
This article focuses on authenticating [hybrid user identities](../../active-directory/hybrid/whatis-hybrid-identity.md), which are on-premises AD DS identities that are synced to Microsoft Entra ID using either [Microsoft Entra Connect](../../active-directory/hybrid/whatis-azure-ad-connect.md) or [Microsoft Entra Connect cloud sync](../../active-directory/cloud-sync/what-is-cloud-sync.md). **Cloud-only identities aren't currently supported for Azure Files**.
19
19
20
20
## Applies to
21
-
22
-
| File share type | SMB | NFS |
23
-
|-|:-:|:-:|
24
-
| Standard file shares (GPv2), LRS/ZRS |||
25
-
| Standard file shares (GPv2), GRS/GZRS |||
Copy file name to clipboardExpand all lines: articles/storage/files/storage-files-identity-auth-hybrid-identities-enable.md
+12-6Lines changed: 12 additions & 6 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -21,12 +21,18 @@ For more information on supported options and considerations, see [Overview of A
21
21
> You can only use one AD method for identity-based authentication with Azure Files. If Microsoft Entra Kerberos authentication for hybrid identities doesn't fit your requirements, you might be able to use [on-premises Active Directory Domain Service (AD DS)](storage-files-identity-ad-ds-overview.md) or [Microsoft Entra Domain Services](storage-files-identity-auth-domain-services-enable.md) instead. The configuration steps and supported scenarios are different for each method.
22
22
23
23
## Applies to
24
-
25
-
| File share type | SMB | NFS |
26
-
|-|:-:|:-:|
27
-
| Standard file shares (GPv2), LRS/ZRS |||
28
-
| Standard file shares (GPv2), GRS/GZRS |||
0 commit comments